b'                 United States Department of Justice\n                      Office of the Inspector General\n                                        Audit Division\n\n\n\n\nAUDIT REPORT\n\n\n\n FEDERAL BUREAU OF\n  INVESTIGATION\xe2\x80\x99S\n  MANAGEMENT OF\n    INFORMATION\n    TECHNOLOGY\n    INVESTMENTS\n\n\n\n\n DECEMBER 2002\n\n      03-09\n\x0cFEDERAL BUREAU OF INVESTIGATION\xe2\x80\x99S MANAGEMENT\n   OF INFORMATION TECHNOLOGY INVESTMENTS\n\n\n                          EXECUTIVE SUMMARY\n\n       Following the September 11, 2001, terrorist attacks, the Attorney\nGeneral and the Director of the Federal Bureau of Investigation (FBI)\nmade clear that prevention of terrorism is the top priority of the\nDepartment of Justice (DOJ) and the FBI. Effective use of information\ntechnology (IT) is crucial to the FBI\xe2\x80\x99s ability to meet this priority as well\nas its other critical responsibilities.\n\n       However, reviews conducted by the Office of the Inspector\nGeneral (OIG) and the General Accounting Office (GAO) have found\nmajor weaknesses associated with the FBI\xe2\x80\x99s IT. The FBI has listed\nupgrading its information technology as one of its top ten highest\npriorities. In June 2002 Congressional testimony, the FBI\nacknowledged that its IT infrastructure is severely outdated.\n\n      Because of the importance of the FBI\xe2\x80\x99s management of its IT\nsystems, we performed this audit to: (1) determine whether the FBI\nwas effectively managing its IT investments; and (2) assess the FBI\xe2\x80\x99s\nIT-related strategic planning and performance measurement activities.1\nWe also examined the FBI\xe2\x80\x99s efforts to develop enterprise architecture2\nand project management capabilities.\n\n       In this audit, we conducted approximately 85 interviews with\n70 officials from the FBI, DOJ, GAO, and the Office of Management and\nBudget (OMB). The FBI officials interviewed were from the Director\xe2\x80\x99s\noffice, Information Resources Division, Criminal Justice Information\nServices Division, Laboratory Division, Inspection Division, and Finance\n\n       1\n        During our audit fieldwork, we initiated work relating to a third objective: to\ndetermine if the FBI has implemented prior information technology related\nrecommendations directed toward improving information technology. We will issue a\nseparate report on this objective.\n       2\n          Enterprise architecture is the organization-wide blueprint that defines an\nentity\xe2\x80\x99s functions and systems, including IT systems. It provides a comprehensive\nview (through models, narratives, and diagrams) of the interrelationships of an\norganization\xe2\x80\x99s operations and structures and how these structures align with the\norganization\xe2\x80\x99s mission. The Clinger-Cohen Act of 1996 recognizes the\ninterrelationship between enterprise architecture and IT investment management by\nrequiring federal agencies to develop an enterprise architecture.\n\n\n                                         -i-\n\x0cDivision. Additionally, OIG auditors and analysts traveled to FBI\nlaboratory facilities in Quantico, VA, and five FBI field offices to\nconduct interviews and assess the FBI\xe2\x80\x99s implementation of IT\ninitiatives. We also reviewed more than 200 documents, including the\nFBI\xe2\x80\x99s IT management policies and procedures, project management\nguidance, strategic and program plans, IT project proposals and\nmanagement plans, budget documentation, organizational structures,\nCongressional testimony, and prior OIG and GAO reports.\n\n1. Summary of Audit Findings\n\n      We concluded that the FBI has not effectively managed its IT\ninvestments because it has not fully implemented the management\nprocesses associated with successful IT investments. The foundation\nfor sound IT investment management (ITIM) includes the following\nfundamental elements:\n\n  \xe2\x80\xa2   defining and developing IT investment boards;\n\n  \xe2\x80\xa2   following a disciplined process of tracking and overseeing each\n      project\xe2\x80\x99s cost and schedule milestones over time;\n\n  \xe2\x80\xa2   identifying existing IT systems and projects;\n\n  \xe2\x80\xa2   identifying the business needs for each IT project; and\n\n  \xe2\x80\xa2   using defined processes to select new IT project proposals.\n\n      The FBI failed to implement these critical processes. We found\nthat the FBI does not have fully functioning IT investment boards that\nare engaged in all phases of IT investment management. The FBI was\nnot following a disciplined process of tracking and overseeing each\nproject\xe2\x80\x99s cost and schedule milestones. The FBI failed to document a\ncomplete inventory of existing IT systems and projects, and did not\nconsistently identify the business needs for each IT project. The FBI\ndid not have a fully established process for selecting new IT project\nproposals that considered both existing IT projects and new projects.\n\n      Because the FBI has not fully implemented the critical processes\nassociated with effective IT investment management, the FBI\ncontinues to spend hundreds of millions of dollars on IT projects\nwithout adequate assurance that these projects will meet their\nintended goals.\n\n\n\n                                 - ii -\n\x0c      We concluded that these shortcomings primarily resulted from\nthe FBI not devoting sufficient management attention in the past to IT\ninvestment management.\n\n      However, FBI management has recognized that its past methods\nto manage IT projects have been deficient, and the FBI recently has\ncommitted to changing those practices. In January 2002, the FBI\ndeveloped a conceptual model for selecting, controlling, and evaluating\nIT investments. The model seeks to define a process that will promote\na Bureau-wide perspective on IT investment management, so that only\nIT projects with the best probability of improving mission performance\nare selected. Further, the process is intended to provide the methods,\nstructures, disciplines, and management framework that governs the\nway IT projects are controlled and evaluated.\n\n      In addition to developing a conceptual model for a new ITIM\nprocess, in early 2002 the FBI began a pilot test of the new process for\nthe selection of IT proposals. We found that the FBI made\nimprovements during the pilot testing of the new selection process.\nPursuant to the new process, the FBI created three IT investment\nreview boards that reviewed IT proposals for technical compliance and\n\xe2\x80\x9cmission fit.\xe2\x80\x9d These boards, comprised of the FBI Director, FBI\nexecutives and IT managers, selected new IT proposals that will be\nconsidered for inclusion in the Fiscal Year (FY) 2004 budget request.\n\n       While the FBI has made efforts to improve its IT investment\nmanagement practices, the FBI must take further actions to ensure\nthat it can implement the fundamental processes necessary to build an\nIT investment foundation, as well as the more mature processes\nassociated with highly effective IT investment management. These\nactions include:\n\n   \xe2\x80\xa2   fully developing and documenting its new IT investment\n       management process \xe2\x80\x93 which is necessary to completely\n       implement the activities defined in the FBI\xe2\x80\x99s conceptual model;\n\n   \xe2\x80\xa2   requiring increased participation from IT program managers and\n       users \xe2\x80\x93 which is necessary to ensure senior management\n       acceptance and foster understanding and institutionalization of\n       the ITIM process; and\n\n   \xe2\x80\xa2   further developing the FBI\xe2\x80\x99s project management and enterprise\n       architecture functions \xe2\x80\x93 which is necessary to execute the\n\n\n\n                                  - iii -\n\x0c       control and evaluate components of the ITIM process as well as\n       advance its investment management capability.\n\n       Our audit also reviewed the FBI\xe2\x80\x99s management of Trilogy, the\nFBI\xe2\x80\x99s largest and most critical IT project. We found that the lack of\ncritical IT investment management processes contributed to missed\nmilestones and led to uncertainties about cost, schedule, and technical\ngoals. Specifically, despite $78 million in additional funding, the FBI\nmissed its July 2002 milestone date for completing the physical IT\ninfrastructure upgrades to field offices, including new computer\nhardware and networks.3 FBI officials stated that they are not\nexpecting the physical infrastructure components of Trilogy to be\ncompleted until March 2003. In addition, the user application\ncomponent of Trilogy, recognized by FBI officials as the most\nimportant aspect of the project in terms of improving agent\nperformance, is at high risk of not being completed within the funding\nlevels appropriated by Congress. In our judgment, the management\nproblems associated with Trilogy demonstrate the FBI\xe2\x80\x99s urgent need\nfor enhanced IT investment management.\n\n      We also concluded that the FBI\xe2\x80\x99s IT strategic planning and IT\nperformance measurement are inadequate. We found that the FBI\'s\nstrategic plan does not include goals for IT investment management,\nand the FBI\xe2\x80\x99s strategic plan and performance plan are not consistent\nwith the DOJ\xe2\x80\x99s annual performance plan.\n\n      The remainder of this executive summary provides more\nbackground and details on our audit findings and recommendations to\nhelp improve the FBI\xe2\x80\x99s management of its IT investments.\n\n2. Background\n\n      The Clinger-Cohen Act of 1996 requires each federal agency to\nimplement a process for maximizing the value of its IT investments.\nThis process is intended to ensure that IT projects are being\nimplemented at acceptable costs and within reasonable time frames,\nand that the projects are contributing to enhanced mission\nperformance. Specifically, the Clinger-Cohen Act requires federal\nagencies to: (1) develop an enterprise architecture framework, and\n\n\n\n\n       3\n        With the $78 million in additional funding, Trilogy\xe2\x80\x99s total appropriation was\n$458 million as of June 2002.\n\n\n                                        - iv -\n\x0c(2) follow a \xe2\x80\x9cselect/control/evaluate\xe2\x80\x9d approach to managing IT\ninvestments.\n\n      In May 2000, the GAO developed the IT Investment\nManagement Framework (Framework) to provide a common\nmethodology for assessing IT capital planning and investment\nmanagement practices at federal agencies. The Framework specifically\ndescribes the organizational processes required to carry out sound IT\ninvestment management.\n\n       The Framework, based on best practices of leading\norganizations, is a hierarchical model comprised of five maturity\nstages. These maturity stages represent steps toward achieving stable\nand mature investment management processes. As agencies advance\nthrough these stages, their capability to effectively manage IT\nincreases. With the exception of the first stage, each maturity stage is\ncomprised of critical processes that must be implemented and\ninstitutionalized for the agency to satisfy the requirements of that\nstage. These critical processes are further broken down into key\npractices an agency should perform to successfully implement each\ncritical process.\n\n       An agency using these critical processes is in a better position to\nsuccessfully invest in IT and use its IT investments to achieve its\npriorities. Conversely, an agency that does not have these critical\nprocesses in place is at high risk that its IT projects will fail to support\nthe achievement of priorities.\n\n      To determine whether the FBI was effectively managing its IT\ninvestments, we utilized the Framework because it is: (1) a\nstandardized tool for internal and external evaluations of an agency\xe2\x80\x99s\nIT investment management process; (2) a consistent and\nunderstandable mechanism for reporting the results of these\nassessments; and (3) a road map agencies can use for improving their\nIT investment management process.\n\n      In addition, the Government Performance and Results Act of\n1993 (Results Act) requires strategic planning and performance\nmeasurement throughout the federal government. The Results Act\nseeks to improve the effectiveness, efficiency, and accountability of\nfederal programs by requiring federal agencies to establish goals for\nprogram performance and measurement. The Results Act requires\nagencies to prepare a strategic plan, annual performance plan, and\nannual performance report.\n\n\n                                    -v-\n\x0c       While IT strategic planning is a function somewhat independent\nof IT investment management, these two functions are interrelated\nand complementary. The DOJ has recognized the importance of\nintegrating strategic planning with IT management. In July 2002, the\nDOJ released its IT Strategic Plan that included a strategic initiative to\nestablish and improve investment management processes.\n\n3. The FBI\xe2\x80\x99s Management of IT Investments\n\n      Our audit found that the FBI has not established an IT\ninvestment foundation and therefore is in Stage One maturity\naccording to the ITIM Framework. Stage One maturity is characterized\nby inconsistent, unstructured, and unpredictable investment\nprocesses. Our observations of the FBI\xe2\x80\x99s IT investment processes\nfound that the FBI\xe2\x80\x99s actual processes are consistent with these\nStage One deficiencies.\n\n      The critical processes necessary to establish an IT investment\nfoundation include: (1) defining investment review board operations,\n(2) developing project-level investment control processes,\n(3) identifying IT projects and systems, (4) identifying the business\nneeds for each IT project, and (5) developing a basic process for\nselecting new IT proposals.\n\n       We found that the FBI failed to implement these critical\nprocesses. The FBI did not have a fully established investment review\nboard operation because the FBI did not provide adequate resources\nfor operating the IT investment boards. Additionally, we found\ninsufficient evidence to demonstrate that: (1) organization executives\nand line managers supported and carried out IT investment board\ndecisions and (2) board members understood the investment board\xe2\x80\x99s\npolicies and procedures and exhibited core competencies in using the\nIT investment approach via training, education, or experience.\nSpecifically, the FBI did not provide ample time to adequately prepare\nand train IT board members prior to initiating the pilot test of its\nrecently developed ITIM process. This resulted in inadequate training\nof board members and minimal preparation time to develop IT\nproposals. For example, Technical Review Board members had only\nthree business days to review over 50 IT proposals prior to their first\nboard meeting.\n\n       Additionally, we found that the FBI is not effectively overseeing\nits IT projects. For example, while the FBI has issued project\nmanagement guidance, the guidance is not being followed on a\n\n\n                                   - vi -\n\x0cconsistent basis. Depending on whom we talked to, we obtained\ndifferent answers as to which document represented the FBI\xe2\x80\x99s official\nproject management guidance.\n\n      Without effective oversight of IT projects, FBI officials do not\nhave adequate assurance that IT projects are being developed on\nschedule and within established budgets. According to a former Chief\nInformation Officer at the FBI, the lack of effective oversight of IT\nprojects has prevented IT project managers from being held\naccountable for cost and schedule overruns and the ultimate\nperformance of projects. Senior FBI officials also told us that the\nBureau\xe2\x80\x99s budget formulation process focuses only on the acquisition\ncosts for IT projects and not the full life-cycle costs, especially\noperations and maintenance costs.\n\n      We also found that the FBI\xe2\x80\x99s investment review boards are not\naware of all the IT projects and resources for which the boards are\nresponsible. FBI Divisions maintained some version of an IT inventory\nfor the projects and systems under their jurisdiction, and there was no\ncentralized office responsible for maintaining a uniform listing Bureau-\nwide. FBI managers told us they were in the process of developing an\nIT asset inventory, but at the time of our audit they were unable to\nprovide an estimated date for completing the inventory.\n\n      FBI personnel told us that staff shortages are the primary cause\nfor the incomplete IT asset inventory. In our judgment, staff\nshortages may be a contributing factor, but the lack of centralized\nmanagement over IT investments was the significant reason for this\nproblem. Until June 2002, the FBI did not have a centralized project\nmanagement office to assist the investment boards in overseeing IT\nprojects. The FBI maintained three separate division-level project\nmanagement offices to manage IT projects.\n\n      We also determined that the FBI did not have a fully established\nprocess for selecting IT proposals. FBI officials told us that, prior to\nMarch 2002, individual divisions determined IT needs in a \xe2\x80\x9cstovepipe,\xe2\x80\x9d\nwithout knowledge of the business needs and priorities of the Bureau\nas a whole. The FBI did not have a clearly designated official to\nmanage the proposal selection process. According to Information\nResources Management Section personnel, the Finance Division\nmanaged the IT selection process. However, according to Finance\nDivision personnel, the Information Resources Management office was\nresponsible for managing the proposal selection process.\n\n\n\n                                 - vii -\n\x0c       Without a comprehensive proposal selection process that\nincludes adequate resources and training, the FBI cannot ensure that it\nis selecting the best IT projects that meet mission-critical needs.\n\n      Because the FBI did not fully implement any of the critical\nprocesses associated with Stage Two, the FBI continues to spend\nhundreds of millions of dollars on IT projects without having adequate\nselection and project management controls in place to ensure that IT\nprojects will deliver their intended benefits.\n\n       The FBI began pilot testing the select phase of its new ITIM\nprocess in March 2002, and since then has made measurable progress\ntowards implementing the key practices that comprise the critical\nprocesses \xe2\x80\x93 particularly in the area of selecting new proposals for IT\nprojects. Specifically, at the beginning of our audit in January 2002,\nthe FBI only was executing 4 of the 38 required key practices;\nhowever, as of June 2002, the FBI was executing 14 of the key\npractices.\n\n      With the pilot testing of its new ITIM process, the FBI created an\nIT investment process guide containing policies and procedures to\ndirect board operations, and created and defined three investment\nreview boards integrating both IT and business knowledge.\nAdditionally, the FBI has designated an official responsible for\nmanaging the IT project and system identification process and\nensuring that the inventory meets the needs of the investment\nmanagement process. Further, during the test pilot of the ITIM\nprocess, the board reviews of IT project proposals provided assurance\nthat business needs were clearly identified and defined. Also during\nthe test pilot, we determined that FBI IT investment board members\nanalyzed and prioritized new IT proposals according to established\nselection criteria for the FY 2004 budget cycle.\n\n       Despite the progress made, full implementation of the ITIM\nprocess will require the FBI to (1) fully develop and document its new\nITIM process; (2) require more input and participation from IT\nmanagers and users; and (3) further develop its project management\nand enterprise architecture functions. Completion of the initial steps\ntaken by the FBI will ensure that IT projects are developed within cost\nand schedule requirements, and meet performance expectations. The\nTrilogy project provides an example of how the non-implementation of\nfundamental IT investment management practices can put a project at\nrisk of not delivering what was promised, within cost and schedule\nrequirements.\n\n\n                                 - viii -\n\x0c4. Trilogy\n\n        We also performed a case study of the FBI\xe2\x80\x99s implementation of\nits Trilogy project. We selected Trilogy because it is the FBI\xe2\x80\x99s largest\nongoing IT project and is considered vital to the FBI\xe2\x80\x99s ability to\nperform its mission. Trilogy is intended to upgrade the FBI\xe2\x80\x99s:\n(1) hardware and software \xe2\x80\x93 referred to as the Information\nPresentation Component (IPC), (2) communication networks \xe2\x80\x93 referred\nto as the Transportation Network Component (TNC), and (3) five most\nimportant investigative applications \xe2\x80\x93 referred to as the User\nApplications Component (UAC). The IPC and TNC upgrades will\nprovide the physical infrastructure needed to run the applications from\nthe UAC portion. The UAC portion is intended to upgrade and\nconsolidate five of the FBI\xe2\x80\x99s 42 investigative applications. Because of\nthe 37 other investigative applications and approximately 160 non-\ninvestigative applications that Trilogy will not cover, Trilogy is only a\nstarting point towards upgrading the FBI\xe2\x80\x99s entire IT infrastructure.\nAccording to the FBI, Trilogy is not designed to provide the FBI with\nstate-of-the-art IT; it is intended to provide the foundation so that the\nFBI can eventually attain state-of-the-art IT.\n\n       In November 2000, Congress appropriated $100.7 million for the\nfirst year of the $379.8 million Trilogy project, which was to be funded\nover a three-year period (from the date contractors were hired). The\n$100.7 million was a combination of new program funding and a\nre-direction of base resources. When the FBI requested contractor\nsupport for Trilogy, it combined the IPC and TNC portions for\ncontinuity as both encompass physical IT infrastructure enhancements.\nThe contractor for the IPC/TNC portions was hired in May 2001, and\nthe originally scheduled completion date for these components was\nMay 2004. A different contractor was hired in June 2001 to complete\nthe UAC portion of Trilogy by June 2004.\n\n      After the terrorist attacks on September 11, 2001, the urgency\nof completing Trilogy increased, and the FBI explored options to\naccelerate the deployment of all three components of Trilogy. The FBI\ninformed Congress in February 2002 that, with an additional\n$70 million, the FBI could accelerate the deployment of Trilogy. This\nacceleration would include completion of the IPC/TNC phase by\nJuly 2002 and rapid deployment of the most critical analytical tools\nincluded as part of the UAC phase.\n\n\n\n\n                                  - ix -\n\x0c      In January 2002, Congress supplemented Trilogy\xe2\x80\x99s FY 2002\nbudget with $78 million4 to expedite the deployment of all three\ncomponents. This supplemental appropriation increased the total\nfunding of Trilogy from approximately $380 million to $458 million.\n\n      Even with these additional funds, the FBI missed its July 2002\nmilestone date for completing the IPC and TNC phases. FBI officials\nstated that they are not expecting these components of Trilogy to be\ncompleted until March 2003. In addition, the user application\ncomponent of Trilogy, recognized by FBI officials as the most\nimportant aspect of the project in terms of improving agent\nperformance, is at high risk of not being completed within the funding\nlevels appropriated by Congress. Further, despite receiving an\nadditional $78 million from Congress in January 2002, FBI managers\nhave acknowledged to us that the last phase of UAC will not be\ncompleted any sooner than originally planned (in June 2004).\n\n      In terms of a cost baseline, FBI officials told us that the rapid\nprocurement and deployment of Trilogy has prevented the project\nmanagers from performing earned value management,5 as promised\nto Congress. While FBI officials were confident they know how much\nmoney has been spent on Trilogy to date, and how much funding has\nbeen committed, they have less assurance as to whether Trilogy is on\nbudget, over budget, or under budget.\n\n       A schedule baseline for Trilogy has never been well-established.\nFirst, FBI officials said they would complete IPC/TNC deployment in\nMay 2004. Then, they said it could be finished in June 2003. Next,\nthey said it would be finished by December 2002. After receiving\n$78 million of supplemental funding, they said it would be done by\nJuly 2002. Then, they said they could not make the July 2002\ndeadline and moved it to October 2002. As of June 2002, FBI officials\nhave said deployment will probably not be complete until March 2003.\nAlso as of June 2002, the FBI was still in the process of building a\ncomprehensive schedule of Trilogy milestones.\n\n      Regarding the technical requirements for Trilogy, we were told\nthat some aspects of Trilogy as submitted to Congress did not turn out\nto be technically feasible. For example, FBI officials told us that the\n\n       4\n         The $78 million is comprised of the $70 million that FBI requested for\nacceleration, plus $8 million for contractor support.\n       5\n        Earned value management is a project monitoring method that compares\nthe value of products and services received with funds that have been expended.\n\n\n                                        -x-\n\x0cthin-client strategy was not pursued because it was found that this\ntype of network could not be achieved given the technical\nrequirements of the FBI.6 Another example is web-enablement of the\nAutomated Case Support (ACS) system, which was also discontinued\nwhen it was realized that it would require more resources than\nanticipated.7 Had a more rigorous proposal selection process been in\nplace to require sufficient documentation of the technical requirements\nand risks of the project, the expending of time and resources on thin-\nclient technology and web-enablement of ACS may have been\nminimized.\n\n       Another technical issue involves the development of the UAC\nportion of Trilogy. Because the UAC portion is focused on making\nsignificant changes to, or possibly complete replacements of, five of\nthe FBI\xe2\x80\x99s investigative systems, documentation for the exact\nconfiguration of these systems is critical to designing the requirements\nfor UAC. According to a senior FBI official, the FBI must know what it\nhas before it can define the right solution to fix the problem. Lack of\ndocumentation for the configuration of these five investigative systems\nhas caused the FBI to engage in a process of reverse engineering,\nwhich is trying to determine the structure and components of the\nsystems after deployment. Because the FBI has to perform reverse\nengineering on the FBI\xe2\x80\x99s five investigative systems, there are\nlimitations as to how rapidly UAC can be developed and deployed.\n\n       Our observations at five FBI field offices indicated that\ndeployment of the IT physical infrastructure was still ongoing as of\nJune 2002. For two field offices, additional installation work remained\nto be completed, and for four field offices hundreds of desktop\ncomputers still remained to be delivered. A lack of clear\ncommunication between FBI Headquarters and the field offices\ncontributed to the confusion over the number of desktop computers to\nbe delivered and shortages of fiber optic cable. Additionally contractor\nmaintenance support for the Trilogy architecture was inefficient,\nresulting in agents being without computers for weeks at a time.\nImprovements in agent and support personnel training, procurement\nof trouble-shooting equipment for the Trilogy architecture, and timely\n\n\n       6\n          According to the FBI, a thin-client strategy would utilize application software\nthat is run from the server computer, and consequently permit desktop computers to\nfunction with few hardware resources such as processors and memory.\n       7\n         Web-enablement refers to the ability of the software application to interface\nwith the Internet through a browser, thereby extending information access.\n\n\n                                         - xi -\n\x0ccompletion of FBI unique macros for Microsoft Word will enhance user\nutilization of the Trilogy architecture.\n\n      The new Trilogy project executive, hired in March 2002, has\ntaken a different approach to managing Trilogy. She has emphasized\nthe importance of having more structured oversight of the project.\nShe has been developing a comprehensive schedule for all three\ncomponents. Additionally, she has indicated that there are limitations\nto how fast Trilogy can be deployed, without risking the security of the\nsystem. In our judgment, while these actions taken since March 2002\nrepresent positive changes to Trilogy\xe2\x80\x99s project management function,\nthe project\xe2\x80\x99s completion time, final cost, and ultimate performance\nremain uncertain. Also, we concluded that for the Trilogy project\nmanagement function to be effective, it must include oversight from IT\ninvestment review boards to provide much needed monitoring.\n\n5. FBI\xe2\x80\x99s IT Strategic Planning and Performance Measurement\n\n       We also assessed the FBI\xe2\x80\x99s IT strategic planning and\nperformance measurement. We found that the FBI\xe2\x80\x99s strategic plan\ndoes not include IT investment management goals and the FBI\xe2\x80\x99s\nstrategic plan and performance plan are not consistent with the DOJ\xe2\x80\x99s\nannual performance plan. Also, as of the end of June 2002, the FBI\ndid not have a current strategic plan dedicated to IT. Instead,\nindividual FBI divisions had program plans that included the use of IT\nwithin particular programs.\n\n       This occurred because the FBI has not updated its strategic plan\nsince 1998, and its performance plan does not include the same\nstrategic objectives, goals, and strategies relating to IT as does the\nDOJ\'s annual performance plan. We believe that the FBI will have\ndifficulty improving its IT investment management process without\nincorporating it into the strategic plan. Additionally, without adequate\nstrategic planning and performance measurements, there is a\nheightened risk that the FBI may not be appropriately allocating\nresources to meet the DOJ\xe2\x80\x99s strategic priorities.\n\n       In our judgment, the FBI must change the division-specific IT\nfocus and implement a Bureau-wide IT strategic plan. The purpose of\nthe FBI\xe2\x80\x99s ITIM process is to move away from the decentralized IT focus\nto a centralized one. As a result, we recommend that the FBI update\nits IT strategic plan and performance plans to (1) fully integrate these\nplans with the FBI\xe2\x80\x99s ITIM process; and (2) include those performance\ngoals and indicators defined in the DOJ\xe2\x80\x99s IT Strategic Plan.\n\n\n                                 - xii -\n\x0c6. OIG Recommendations\n\n      In this report, we make 30 recommendations that focus on\nspecific and immediate steps the FBI should take to help improve its IT\ninvestment management. These recommendations include:\n\n  \xe2\x80\xa2   Ensure that the FBI continues its efforts to establish a\n      comprehensive enterprise architecture that is integrated with the\n      ITIM process.\n\n  \xe2\x80\xa2   Require the ITIM Program Office to plan for and allocate\n      sufficient time for IT investment review board members and\n      other ITIM users to execute assigned responsibilities\n      competently.\n\n  \xe2\x80\xa2   Ensure that members of IT investment boards and other ITIM\n      users receive sufficient training to execute assigned\n      responsibilities effectively.\n\n  \xe2\x80\xa2   Ensure that official project management guidance is used for all\n      FBI IT projects through management oversight from the IT\n      investment review boards.\n\n  \xe2\x80\xa2   Ensure that each IT project has a project management plan,\n      approved by the IT investment review boards, that includes cost\n      and schedule controls.\n\n  \xe2\x80\xa2   Ensure that a complete IT asset inventory is developed, and\n      information from the IT asset inventory is made available to, and\n      used by, the IT investment review boards as necessary.\n\n  \xe2\x80\xa2   Ensure that the FBI develops written policies and procedures for\n      identifying the business needs (and the associated users) of each\n      IT project.\n\n  \xe2\x80\xa2   Ensure that identified users participate in project management\n      throughout a project\'s life-cycle.\n\n  \xe2\x80\xa2   Ensure that the policies and procedures of the ITIM process are\n      expanded, documented, and made available to ITIM users.\n\n  \xe2\x80\xa2   Ensure that the ITIM Program Office and the ITIM contractor\n      incorporate the input from various ITIM users through\n\n\n                                - xiii -\n\x0c       working group sessions as the ITIM process is being further\n       developed and refined.\n\n   \xe2\x80\xa2   Ensure that the FBI develops and implements a specific plan\n       detailing how and when it will integrate the ITIM process with a\n       system development life-cycle methodology.\n\n7. Conclusion\n\n       The underlying practices we assessed are fundamental to any\nproject management endeavor. However, the FBI has not executed\nthe majority of these tasks to select and manage its IT resources. For\nexample, organizational policies were not clearly established to ensure\nthat critical IT investment policies endure. Additionally, there were no\nclearly defined, uniform procedures for project management, tracking\nproject performance, and taking corrective actions as necessary. Prior\nto the development of its ITIM process in early 2002, the FBI did not\ngive sufficient attention to IT investment management. Since the FBI\ndeveloped its ITIM process in early 2002, it has focused more\nmanagement attention in this area and has made progress towards\nattaining a basic IT investment management foundation. Despite the\nprogress, the FBI did not fully implement any of the critical processes\nnecessary to build an IT investment foundation. As a result, the FBI\ncontinues to spend hundreds of millions of dollars on IT projects\nwithout having adequate selection and project management controls in\nplace to ensure that IT projects will deliver their intended benefits.\n\n\n\n\n                                 - xiv -\n\x0c                           TABLE OF CONTENTS\n\nINTRODUCTION .............................................................................1\n1.   Background ..........................................................................1\n2.   The FBI\xe2\x80\x99s Management of IT Infrastructure................................2\n3.   Prior Reports on the FBI\xe2\x80\x99s IT and DOJ Oversight of\n     Components\xe2\x80\x99 IT .....................................................................4\n4.   The FBI\xe2\x80\x99s Current IT Investment Efforts ....................................9\n5.   Trilogy: The FBI\xe2\x80\x99s Largest IT Investment................................ 10\n6.   Framework for Assessing IT Investment Management ............... 12\n7.   The DOJ\xe2\x80\x99s ITIM Guidance ...................................................... 17\n8.   The FBI\xe2\x80\x99s Recent Efforts to Implement an ITIM Process ............. 18\n\nOIG FINDINGS AND RECOMMENDATIONS ....................................... 22\n1.   The FBI\xe2\x80\x99s Management of IT Investments................................ 22\n\n       A. The FBI\xe2\x80\x99s Progress Toward Attaining a Basic IT\n          Investment Management Foundation................................. 22\n\n       B. The FBI\xe2\x80\x99s Ability to Improve its IT Investment\n          Practices ....................................................................... 60\n\n       C. Trilogy Case Study .......................................................... 86\n\n2.     The FBI\xe2\x80\x99s IT Strategic Planning and Performance\n       Measurement .................................................................... 114\n\n       A. Background on Strategic Planning ................................... 114\n\n       B. Strategic Planning\xe2\x80\x99s Relationship to the ITIM Process......... 116\n\n       C. Results of our Assessment of the FBI\xe2\x80\x99s IT Strategic\n          Planning and Performance Measurement.......................... 117\n\n       D. Summary .................................................................... 118\n\n       E.   Recommendation ......................................................... 118\n\nSTATEMENT ON COMPLIANCE WITH LAWS AND REGULATIONS ........ 119\n\nSTATEMENT ON MANAGEMENT CONTROLS .................................... 120\n\nAPPENDIX 1: OBJECTIVES, SCOPE, AND METHODOLOGY ................ 121\n\x0cAPPENDIX 2: FLOWCHART OF FBI\xe2\x80\x99S ITIM CONTROL PHASE ............. 125\n\nAPPENDIX 3: FLOWCHART OF FBI\xe2\x80\x99S ITIM EVALUATE PHASE ............ 126\n\nAPPENDIX 4: JMD\xe2\x80\x99S ASSESSMENT OF THE FBI\xe2\x80\x99S ITIM\n            PROCESS ............................................................. 127\n\nAPPENDIX 5: GAO\xe2\x80\x99S FIVE STAGES OF ENTERPRISE\n            ARCHITECTURE MATURITY...................................... 133\n\nAPPENDIX 6: FBI\xe2\x80\x99S ENTERPRISE ARCHITECTURE MATURITY\n            SURVEY ............................................................... 135\n\nAPPENDIX 7: FBI\xe2\x80\x99S RESPONSE TO THE DRAFT REPORT .................. 136\n\nAPPENDIX 8: OIG, AUDIT DIVISION ANALYSES AND\n            SUMMARY OF ACTIONS NECESSARY TO\n            TO CLOSE REPORT ................................................ 153\n\x0c                               INTRODUCTION\n\n1. Background\n\n      The Federal Bureau of Investigation (FBI or Bureau) is the\nprincipal investigative arm of the Department of Justice (DOJ). To\nexecute its responsibilities, the FBI\xe2\x80\x99s Headquarters in Washington, D.C.\nprovides program direction and support services to 56 field offices,\napproximately 400 satellite offices known as resident agencies and\nmore than 40 foreign liaison posts.\n\n      As of June 2002, the FBI had over 11,000 Special Agents and\nover 16,000 other employees who performed professional,\nadministrative, technical, clerical, craft, trade, or maintenance\noperations. The FBI\xe2\x80\x99s budget authority increased 31 percent from\n$3.339 billion in FY 2001 to nearly $4.371 billion in FY 2002.8 Of this\nbudget authority, $714 million was allocated to information technology\n(IT) projects in FY 2002 compared to $353 million in FY 2001.\n\n      The terrorist attacks of September 11, 2001, prompted the\nAttorney General to make counterterrorism the DOJ\xe2\x80\x99s highest priority.\nThe DOJ reflected these new priorities in its Strategic Plan for Fiscal\nYears 2001 \xe2\x80\x93 2006, which was issued in November 2001. In the\nStrategic Plan, the Attorney General recognized that the fight against\nterrorism requires the DOJ \xe2\x80\x9cto improve the integrity and security of its\ncomputer systems and make more effective use of information\ntechnology.\xe2\x80\x9d\n\n       In response to the DOJ\xe2\x80\x99s new priorities following September 11,\n2001, the FBI proposed fundamental changes in its strategic priorities\nand business practices. In May 2002, the Director of the FBI\nannounced a major reorganization that dedicates more resources to\nthe prevention of terrorism.9 Although the core missions of the FBI\nremain intact, the proposed changes would transform the Bureau\xe2\x80\x99s\nrole from reactive to preventive. To accomplish this transition, FBI\nofficials have repeatedly told Congress that new and improved IT is\nrequired to support a redesigned and refocused FBI. In testimony\n\n      8\n         These figures were taken from the DOJ\xe2\x80\x99s website (www.usdoj.gov). They\ninclude a $745 million Counterterrorism Supplemental for FY 2002 and exclude\nFederal Retiree and Health Benefit Costs.\n      9\n          This reorganization was approved by Congress on July 31, 2002.\n\n\n\n                                        -1-\n\x0cbefore the Senate Judiciary Committee on June 6, 2002, the Director\nreleased the FBI\xe2\x80\x99s top ten priorities in the post-September 11 era, with\nthe number one priority being protecting the United States from\nterrorist attacks. Number ten on the list of priorities is upgrading\ntechnology to successfully perform the FBI\xe2\x80\x99s mission. Clearly, the\nFBI\xe2\x80\x99s future ability to prevent terrorism and other crimes depends on\nmodern information technology and effective management of\ntechnology.\n\n2. The FBI\xe2\x80\x99s Management of IT Infrastructure\n\n      The FBI has three divisions that manage major IT projects: the\nInformation Resources Division (IRD), the Criminal Justice Information\nServices Division (CJIS), and the Laboratory Division. As discussed\nbelow, the FBI is attempting to centralize the management of IT,\nrather than manage IT within divisions.\n\n       The IRD provides the day-to-day support services to manage the\ninformation systems of the FBI. The IRD\xe2\x80\x99s responsibilities include\nmanagement of all hardware, software, and IT peripheral equipment\nlocated at the FBI\xe2\x80\x99s Headquarters, field offices, and other offsite\nlocations.\n\n       The IRD has been restructured in recent years to increase the\noversight and jurisdiction of the Chief Information Officer. Until\nNovember 2001, the Chief Information Officer of the FBI was the\nAssistant Director of IRD who reported to the Director. However, to\ngive the Chief Information Officer greater authority over the entire\nFBI, the Chief Information Officer was moved out of IRD and into the\nDirector\xe2\x80\x99s office, pursuant to a restructuring approved by Congress on\nNovember 30, 2001. Additionally, to support the Chief Information\nOfficer, the Information Resources Management Section10 was moved\nout of IRD and into the Chief Information Officer\xe2\x80\x99s office, following\nanother restructuring in February 2002. Also, in February 2002, the IT\nInvestment Management Program Office was formed (within the\nInformation Resources Management Section) and was staffed with one\nindividual whose responsibility was to manage the FBI\xe2\x80\x99s IT investment\nmanagement program. Based on these actions, the FBI recognizes\nthat centralizing the management of IT requires a Chief Information\nOfficer to have Bureau-wide oversight and jurisdiction, rather than be\nisolated within a division.\n\n      10\n        The Information Resources Management Section is responsible for\nmanaging IT investments and enterprise architecture.\n\n\n                                     -2-\n\x0c      The CJIS Division uses several significant IT systems to manage\nand disseminate relevant criminal justice information to the FBI and\nother law enforcement agencies. For example, the\nNational Crime Information Center 2000 is a nationwide information\nsystem that supports federal, state, and local law enforcement\nagencies. Additionally, the CJIS Division is responsible for managing\nthe Integrated Automated Fingerprint Identification System and the\nNational Incident-Based Reporting System. To support the\nmanagement of these systems, the CJIS Division maintains a\nContract Administration Office, which provides quality assurance,\nconfiguration management, and project management support services\nnecessary to manage these and other systems under its jurisdiction.\n\n      The Laboratory Division manages several forensic computer\nsystems that provide forensic and technical services to law\nenforcement agencies. A significant system includes the Combined\nDNA Index System (CODIS), which provides software and support\nservices to state and local laboratories to establish databases of\ncriminals, unsolved crime scenes, and missing persons. A component\nof CODIS, the National DNA Index System, shares DNA profiles from\nconvicted offenders and crime scenes to laboratories throughout the\nUnited States. To manage these systems, the Laboratory Division\nmaintains its own project management office.\n\n      The FBI has recognized that its IT infrastructure was significantly\noutdated and did not effectively support user needs. Although recent\nupgrades have changed these numbers, as of September 2000, over\n13,000 desktop computers were 4 to 8 years old and could not run\nbasic software packages, some communication networks were up to\n12 years old and were obsolete, and multiple user-applications existed\nthat were neither web-enabled11 nor user-friendly.12 On June 6, 2002,\nthe Director stated to the Senate Judiciary Committee:\n\n       You\xe2\x80\x99ve heard me talk about the necessity for upgrading our\n       technology. And upgrading our technology means not just\n       getting the computers on board, the hard drives. It means\n       everybody from top to bottom becoming facile with the\n\n       11\n          Web-enablement refers to the ability of the software application to interface\nwith the Internet through a browser, thereby extending information access.\n       12\n          According to FBI officials, the FBI acknowledged these needs to Congress in\nthe late 1990s, in addition to the technology upgrade plan prepared in September\n2000.\n\n\n\n                                        -3-\n\x0c       computer, understanding the computer and understanding\n       how technology can assist us to do our jobs better. And\n       that is somewhat of a transformation for an organization\n       such as the FBI, which is years behind where it should be,\n       in terms of having the technological infrastructure.\n\n3. Prior Reports on the FBI\xe2\x80\x99s IT and DOJ Oversight of\n   Components\xe2\x80\x99 IT\n\n      Reports issued by the Office of the Inspector General (OIG) over\nthe past 12 years have highlighted many IT inefficiencies at the FBI.\nIn 1990, the OIG issued a report entitled, \xe2\x80\x9cThe FBI\xe2\x80\x99s Automatic Data\nProcessing General Controls.\xe2\x80\x9d This report found\n11 major internal control weaknesses, many of which are still\napplicable today. Specifically the report stated that:\n\n   \xe2\x80\xa2   the FBI\xe2\x80\x99s phased implementation of its 10-year Long Range\n       Automation Strategy, scheduled for completion in 1990, was\n       severely behind schedule and may not be accomplished;\n\n   \xe2\x80\xa2   the FBI\xe2\x80\x99s Information Resources Management program was\n       fragmented and ineffective, and the FBI\xe2\x80\x99s Information Resources\n       Management official did not have effective organization-wide\n       authority;\n\n   \xe2\x80\xa2   the FBI had not developed and implemented a data architecture;\n\n   \xe2\x80\xa2   the FBI had not adequately involved top management in FBI\n       Headquarters or the field offices in systems development\n       through an Executive Review Committee; and\n\n   \xe2\x80\xa2   the FBI\xe2\x80\x99s major mainframe investigative systems were labor\n       intensive, complex, untimely, and non-user friendly and few\n       Special Agents used these systems.\n\n      Regarding the first weakness, the FBI\xe2\x80\x99s IT infrastructure is still\nseverely outdated, as we previously mentioned. Regarding the second\nweakness, the FBI has recently restructured the IRD and Information\nResources Management Section to reduce the fragmented\nmanagement structure that existed among the three divisions\nresponsible for managing IT. Regarding the third weakness, as\ndiscussed later in the report, the FBI is still developing an enterprise\narchitecture framework, which includes the technical or data\narchitecture. Regarding the fourth weakness, as discussed later in the\n\n\n                                  -4-\n\x0creport, the FBI did not have formally established IT investment review\nboards or committees until March 2002. Regarding the fifth weakness,\nthe FBI\xe2\x80\x99s major investigative systems remain labor intensive, complex,\nnon-user friendly, and many Special Agents still do not use these\nsystems.\n\n      The OIG\xe2\x80\x99s July 1999 special report on the handling of intelligence\ninformation related to the DOJ\xe2\x80\x99s campaign finance task force13 stated\nthat FBI personnel were not well versed in the Automated Case\nSupport (ACS) system14 and other databases. Additionally, a\nNovember 1999 report on the death of a federal inmate, Kenneth\nMichael Trentadue, noted deficiencies in uploading key evidence into\nthe ACS.\n\n       A March 2002 report entitled, \xe2\x80\x9cAn Investigation of the Belated\nProduction of Documents in the Oklahoma City Bombing Case,\xe2\x80\x9d\nanalyzed the causes for the belated production of many documents in\nthe Oklahoma City bombing case. This report concluded that the ACS\nsystem is extraordinarily difficult to use, has significant deficiencies,\nand is not the vehicle for moving the FBI into the 21st century. The\nreport noted that inefficiencies and complexities with the ACS\ncombined with the lack of a true information management system\nwere contributing factors in the FBI\xe2\x80\x99s failure to provide hundreds of\ninvestigative documents to the defendants in the Oklahoma City\nBombing Case. These reports illustrate that the FBI has not given\nsufficient attention to correcting its deficiencies in information\nmanagement and the ACS.\n\n       In May 2002, pursuant to the FY 2002 Government Information\nSecurity Reform Act, the OIG issued a report on the FBI\xe2\x80\x99s\nadministrative and investigative mainframe systems. This report\nidentified continued vulnerabilities with management, operational, and\ntechnical controls. Significant vulnerabilities were noted in the\nfollowing areas:\n\n\n\n\n      13\n       The report, \xe2\x80\x9cHandling of FBI Intelligence Information Related to the Justice\nDepartment\xe2\x80\x99s Campaign Finance Investigation,\xe2\x80\x9d was issued in July 1999.\n       14\n         The ACS is the FBI\xe2\x80\x99s primary investigative computer application that\nuploads and stores case files electronically.\n\n\n\n                                       -5-\n\x0c   \xe2\x80\xa2   security policies, procedures, standards, and guidelines;\n\n   \xe2\x80\xa2   physical controls;\n\n   \xe2\x80\xa2   system and network backup and restoration controls;\n\n   \xe2\x80\xa2   password management;\n\n   \xe2\x80\xa2   logon management;\n\n   \xe2\x80\xa2   account integrity management;\n\n   \xe2\x80\xa2   system auditing management; and\n\n   \xe2\x80\xa2   system patches.\n\n       The report stated that these vulnerabilities occurred because the\nDOJ and FBI security management had not enforced compliance with\nexisting security policies, developed a complete set of policies to\neffectively secure the administrative and investigative mainframes, or\nheld FBI personnel responsible for timely correction of recurring\nfindings. Further, the report indicated that FBI management has been\nslow to correct identified weaknesses and implement corrective action.\nTherefore, many of these deficiencies repeat year after year in\nsubsequent audits.\n\n      In March 2002, the Commission for the Review of FBI Security\nPrograms issued a report titled, \xe2\x80\x9cA Review of FBI Security Programs.\xe2\x80\x9d\nThis Commission, chaired by former FBI Director William H. Webster,\nwas established to investigate the espionage of a FBI Supervisory\nSpecial Agent, Robert Hanssen.15 The report identified a wide range of\nproblems affecting the FBI\xe2\x80\x99s computer systems and information\nsecurity policies, including the following:\n\n   \xe2\x80\xa2   Classified information had been moved into systems not\n       properly accredited for its protection.\n\n\n\n\n       15\n           According to the report, over a period of 22 years, Robert Hanssen gave\nthe Soviet Union and Russia vast quantities of documents and computer diskettes\nfilled with national security information of incalculable value.\n\n\n\n                                        -6-\n\x0c   \xe2\x80\xa2   Until recently, the FBI had not begun to certify and accredit most\n       of its computer systems, including many classified systems.\n\n   \xe2\x80\xa2   Inadequate physical protections placed electronically stored\n       information at risk of compromise.\n\n   \xe2\x80\xa2   The FBI\xe2\x80\x99s approach to system design has been deficient. It has\n       failed to ascertain the security requirements of the \xe2\x80\x9cowners\xe2\x80\x9d of\n       information on its systems and identify the threats and\n       vulnerabilities that must be countered.\n\n   \xe2\x80\xa2   Classified information stored on some of the FBI\xe2\x80\x99s most widely\n       utilized systems was not adequately protected because computer\n       users lacked sufficient guidance about critical security features.\n\n   \xe2\x80\xa2   Some FBI inspectors had insufficient resources to perform\n       required audits. When audits were performed, audit logs\n       were reviewed sporadically, if at all.\n\nAccording to the report, these findings resulted from the FBI\xe2\x80\x99s lack of\nattention to IT security in developing and managing computer\nsystems.16\n\n      Additionally, the General Accounting Office (GAO) has issued\nseveral reports and related testimony that highlight deficiencies with\nthe FBI\xe2\x80\x99s IT. In June 2002, the Comptroller General provided the\nfollowing testimony before a subcommittee of the United States House\nof Representatives Appropriations Committee:\n\n       Communications has been a longstanding problem for the\n       FBI. This problem has included antiquated computer\n       hardware and software, including the lack of a fully\n       functional e-mail system. These deficiencies serve to\n       significantly hamper the FBI\xe2\x80\x99s ability to share important\n       and time sensitive information with the rest of the FBI\n       across other intelligence and law enforcement agencies.\n       We [the GAO] do not believe the FBI will be able to\n       successfully change its mission and effectively transform\n       itself without significantly upgrading its communications\n\n\n\n       16\n         Although the focus of our audit does not assess the FBI\xe2\x80\x99s IT security\npractices, the two prior reports mentioned above indicate that the FBI\xe2\x80\x99s effective use\nof IT must address information assurance as part of an overall IT governance model.\n\n\n                                        -7-\n\x0c      and information technology capabilities. This is critical,\n      and it will take time and money to successfully address.17\n\n      In a review of the DOJ\xe2\x80\x99s Campaign Finance Task Force, the GAO\nreported in May 2002 that the FBI lacked an adequate information\nsystem that could manage and interrelate the evidence that had been\ngathered in relation to the Task Force\xe2\x80\x99s investigations.18 Also, as part\nof a government-wide assessment of federal agencies, the GAO\nreported in February 2002 that the FBI needed to fully establish the\nmanagement foundation that is necessary to successfully develop,\nimplement, and maintain an enterprise architecture.19\n\n      The deficiencies in IT management are not solely attributable to\nthe FBI itself, but are also attributable in part to DOJ actions. In\nDecember 2000, the GAO issued a report on the Immigration and\nNaturalization Service\xe2\x80\x99s (INS) investment management capability.20\nThis report stated that the DOJ was not guiding and overseeing the\nINS\xe2\x80\x99s IT investment management (ITIM) approach. The report\nhighlighted the DOJ\xe2\x80\x99s responsibility, as required by the Clinger-Cohen\nAct of 1996, to ensure that its components implement an effective\nITIM process. According to the report, the DOJ had not provided the\nINS, or any other component, sufficient direction, guidance, and\noversight of ITIM activities. Further, the report stated:\n\n      While Justice [the Department of Justice] issued guidance\n      in January 2000 describing its high-level investment\n      management process, the guidance does not address the\n      need or requirements for Justice\xe2\x80\x99s components to\n      implement an IT investment management process.\n      Specifically, this guidance does not instruct the\n      components to establish IT investment management\n      processes nor does it establish expectations for doing so.\n      Until Justice issues its policy and guidance and begins\n      monitoring its components\xe2\x80\x99 progress, it has no assurance\n\n      17\n         This testimony, titled \xe2\x80\x9cFBI REORGANIZATION: Initial Steps Encouraging\nbut Broad Transformation Needed\xe2\x80\x9d (GAO-02-865T), was released on June 21, 2002.\n      18\n         This report, titled \xe2\x80\x9cCAMPAIGN FINANCE TASK FORCE: Problems and\nDisagreements Initially Hampered Justice\xe2\x80\x99s Investigation\xe2\x80\x9d (GAO/GGD-00-101BR),\nwas released on May 31, 2000.\n      19\n           This GAO report is discussed later in this report.\n      20\n       \xe2\x80\x9cINFORMATON TECHNOLOGY: INS Needs to Strengthen Its Investment\nManagement Capability\xe2\x80\x9d (GAO-01-146) was issued by the GAO in December 2000.\n\n\n                                          -8-\n\x0c      that it has the necessary investment management\n      processes in place to maximize the value of its IT\n      investments and manage the risks associated with the\n      investments.\n\n       The DOJ issued ITIM guidance in August 2001 and required the\ncomponents to develop an ITIM process by January 2002. This\nguidance, and the FBI\xe2\x80\x99s ITIM process, are further discussed later in\nthis introduction.\n\n4. The FBI\xe2\x80\x99s Current IT Investment Efforts\n\n      In a statement before the House Subcommittee on\nAppropriations in March 2002, FBI Director Mueller stated: \xe2\x80\x9cWithout\nquestion, we all believe [information infrastructure] is the number one\nproblem confronting the FBI today, recognize that for a number of\nreasons the situation developed over time, and know that in the future\na better approach to technology upgrades must be used.\xe2\x80\x9d\n\n       In the FBI Information Technology Upgrade Plan (FITUP),\nprepared and submitted to Congress in September 2000, the Bureau\nstated that a lack of funding was the cause for not making meaningful\nupgrades to its IT infrastructure since 1994. Congress responded to\nthis concern by appropriating a total of approximately $2.2 billion for\nFBI IT projects and systems for FYs 1997 to 2002.21 The FBI received\n$335.6 million of this amount in January 2002 from the Emergency\nSupplemental Appropriations Act for information technology. The\nfollowing table summarizes the funds appropriated for FBI IT\ninvestments since FY 1997.\n\n\n\n\n      21\n         This appropriation includes operation and maintenance costs of existing IT\nsystems, enhancements to existing IT systems, and funding for new IT projects. The\nappropriation also includes personnel costs for managing the IT projects and\nsystems.\n\n\n                                      -9-\n\x0c   Funds Appropriated for FBI IT Investments Since FY 1997\n\n\n                                       Total IT Investments\n                    Fiscal Year            (in millions)\n                         2002                     $714.0\n                         2001                     $352.8\n                         2000                     $293.0\n                         1999                     $332.0\n                         1998                     $241.2\n                         1997                     $309.2\n                        Total                   $2,242.2\n\n                     Source: Exhibit 53s22 prepared by the FBI\n\n      The FBI has several critical initiatives underway to upgrade its\ninfrastructure and investigation applications. Additionally, the FBI has\nundertaken a major hiring initiative to recruit private sector IT experts\nwho can assist in designing and managing the sizable IT projects\nrecently funded by Congress. For example, the FBI\xe2\x80\x99s last two Chief\nInformation Officers were hired from the private sector. Also, in\nMarch 2002, the FBI announced the hiring of a project executive from\nthe private sector to manage Trilogy. Further, in June 2002, the FBI\nannounced the hiring of an executive from the private sector to\nbecome the new Executive Assistant Director for Administration.\n\n5. Trilogy: The FBI\xe2\x80\x99s Largest IT Investment\n\n      Currently, the FBI\xe2\x80\x99s largest IT project designed to improve IT\ninfrastructure and office automation is the Trilogy project, formerly\nknown as the FITUP. In September 2000, the FITUP was established\nto enhance the investigative support for FBI agents. The FITUP noted\nthe following IT needs:\n\n\n\n\n       22\n           The Exhibit 53 for each fiscal year lists funds appropriated for major IT\nprojects. The FBI prepares the Exhibit 53 and submits it to the DOJ, which submits\nit to the Office of Management and Budget (OMB). Total IT investments include\noperation and maintenance costs of existing IT systems, enhancements to existing IT\nsystems, and funding for new IT projects. These investment costs also include\npersonnel costs associated with managing IT projects and systems.\n\n\n                                      - 10 -\n\x0c   \xe2\x80\xa2   getting all case files into electronic databases (since the ACS is\n       not consistently used);\n\n   \xe2\x80\xa2   making IT more user friendly for agents;\n\n   \xe2\x80\xa2   providing access to all databases via one search engine; and\n\n   \xe2\x80\xa2   providing reliable, high-speed flexible communications.\n\n      To address the above needs, the FITUP, renamed to Trilogy, is\nintended to upgrade the FBI\xe2\x80\x99s: (1) hardware and software \xe2\x80\x93 referred\nto as the Information Presentation Component (IPC),\n(2) communication networks \xe2\x80\x93 referred to as the Transportation\nNetwork Component (TNC), and (3) five most important investigative\napplications \xe2\x80\x93 referred to as the User Applications Component (UAC).\nThe IPC and TNC upgrades will provide the physical infrastructure\nneeded to run the applications from the UAC portion of Trilogy. The\nUAC portion is intended to upgrade and consolidate five of the FBI\xe2\x80\x99s\n42 investigative applications. Because there are 37 other investigative\napplications and approximately 160 non-investigative applications that\nTrilogy will not address, Trilogy is only a starting point towards\nupgrading the FBI\xe2\x80\x99s entire IT infrastructure.\n\n       In November 2000, Congress appropriated $100.7 million for the\nfirst year of the $379.8 million Trilogy project, which was to be funded\nover a three-year period (from the date contractors were hired). The\n$100.7 million was a combination of new program funding and a\nre-direction of base resources. The FBI combined the IPC and TNC\nportions for continuity when it requested contractor support, since\nboth encompass physical IT infrastructure enhancements. The\ncontractor for the IPC/TNC portions was hired in May 2001. As a\nresult, the originally scheduled completion date for these initiatives\nwas May 2004. A separate contractor was hired in June 2001 to\ncomplete the UAC portion of Trilogy by June 2004.\n\n      After the terrorist attacks on September 11, 2001, the\nimportance of giving FBI agents and analysts the technological tools\nnecessary to perform their duties was heightened in the eyes of\nCongress, the Attorney General, and the Director. Because the goal of\nTrilogy is to address many of the technological needs of the FBI,\nsuccessful completion of the project in the shortest amount of time\npossible was viewed as increasingly critical to the FBI\xe2\x80\x99s fight against\nterrorism. Rather than wait three years for the benefits of Trilogy,\nCongress fully funded the FBI\xe2\x80\x99s original request of $379.8 million and\n\n\n                                   - 11 -\n\x0cprovided an additional $78 million in January 2002 to speed up its\ndeployment.23 With the supplemental funding, the FBI indicated to\nCongress that it would complete the deployment of hardware\n(including new desktop computers), networks, and software by\nJuly 2002. Additionally, the FBI would seek to accelerate upgrades to\nthe five user applications. However, as discussed later in this report,\nthe FBI did not meet its July 2002 milestone and is not expecting to\ncomplete the deployment of hardware, software, and networks until\nMarch 2003.\n\n       Although we believe the FBI must have sufficient resources to\nupgrade its technology through Trilogy and other projects, it must also\nhave the management processes in place to effectively utilize those\nresources. With the recent influx of funding to the FBI, Congress\nexpects the FBI to make significant strides in upgrading its IT\ninfrastructure. But we believe the FBI will be successful in doing so\nonly if it has effective IT management control processes in place.\nLater in this report, we provide an assessment of the FBI\xe2\x80\x99s\nmanagement of Trilogy.\n\n6. Framework for Assessing IT Investment Management\n\n      Several recent management reforms have required federal\nagencies to improve their management processes for selecting and\nmanaging IT investments. In particular, the Clinger-Cohen Act of\n1996 requires the head of each agency to implement a process for\nmaximizing the value of the agency\'s IT investments and for assessing\nand managing the risks of its acquisitions. A key goal of the\nClinger-Cohen Act is for agencies to have processes in place to ensure\nthat IT projects are being implemented at acceptable costs and within\nreasonable time frames, and that the projects are contributing to\ntangible, observable improvements in mission performance.\n\n      The Clinger-Cohen Act defines requirements for capital planning\nand control of IT investments and mandates a select/control/evaluate\napproach that federal agencies must follow. The following graphic\ndescribes the fundamental phases of this IT investment approach.\n\n\n\n\n      23\n        The $78 million was part of the $745 million received from the Emergency\nSupplemental Appropriations Act.\n\n\n                                     - 12 -\n\x0c       Fundamental Phases of the IT Investment Approach\n\n\n\n               ?\n       How do you know\n       you have selected\n       the best projects?               Select \xe2\x80\xa2 Screen\n                                               \xe2\x80\xa2 Rank\n                                        Phase \xe2\x80\xa2 Select\n                                                                         ?\n                                                                    How are you\n                      Evaluate                                      ensuring\n                      Phase                               Control   that projects\n                                                                     deliver\n                            \xe2\x80\xa2 Conduct       DATA          Phase     benefits?\n                              reviews\n                                                      \xe2\x80\xa2 Monitor\n                            \xe2\x80\xa2 Make adjustments\n                                                      progress\n                            \xe2\x80\xa2 Apply lessons\n                                                      \xe2\x80\xa2 Take\n             ?                learned\n                                                      corrective\n       Are the systems                                  actions\n       delivering what\n       you expected?\n\n\n\n      Source: GAO\n\n\n\n      According to a GAO report, while almost all federal agencies\nhave created some type of IT investment management process, none\nhas implemented stable processes that address all three phases of the\nselect/control/evaluate approach.24 One barrier to implementing\nstable IT investment processes has been the lack of specific guidance\nregarding what processes are required to build a stable, reliable IT\ninvestment management organization. The select/control/evaluate\napproach provides sound advice, but it does not provide a\ncomprehensive discussion of the organizational processes involved.\n\n      To address this concern, in May 2000 the GAO developed the\nIT Investment Management Framework (Framework) to provide a\ncommon methodology for discussing and assessing IT capital planning\nand investment management practices at federal agencies. The\nFramework enhances previous federal IT investment management\nguidance by embedding the select/control/evaluate approach within a\nframework that explicitly describes the organizational processes\nrequired to carry out good IT investment management.\n\n\n      24\n        \xe2\x80\x9cInformation Technology Investment Management: An Overview of GAO\xe2\x80\x99s\nAssessment Framework\xe2\x80\x9d (GAO/AIMD-00-155) was issued in May 2000.\n\n\n                                             - 13 -\n\x0c      The Framework, based on best practices of leading\norganizations, is a hierarchical model comprising of five maturity\nstages. These maturity stages represent steps toward achieving stable\nand mature investment management processes. Each stage builds\nupon the lower stages and enhances the organization\'s ability to\nmanage its investments. As agencies advance through these stages,\nthe agencies\xe2\x80\x99 capability to effectively manage IT increases. The\nfollowing graphic describes the five maturity stages of the Framework.\n\n             The Five Maturity Stages of the ITIM Framework\n                          Maturity Stages\n  Enterprise                                                           Description\n and Strategic\n    Focus                          Stage 5\n                                                      Investment benchmarking and IT-enabled\n                            Leveraging IT for         change management techniques are deployed\n                           Strategic Outcomes         to strategically shape business outcomes.\n\n                                 Stage 4\n                                                      Process evaluation techniques focus on\n                           Improving the              improving the performance and management\n                        Investment Process            of the organization\'s IT investment portfolio.\n\n                            Stage 3                   Comprehensive IT investment portfolio selection\n                                                      and control techniques are in place that\n                     Developing a Complete            incorporate benefit and risk criteria linked to\n                      Investment Portfolio            mission goals and strategies.\n\n                          Stage 2                     Repeatable investment control techniques are in\n                        Building the                  place and the key foundation capabilities have\n                                                      been implemented.\n                   Investment Foundation\n\n                       Stage 1                        There is little awareness of investment\n                                                      management techniques. IT management\n  Project-       Creating Investment\n                                                      processes are ad hoc, project-centric, and\n  Centric            Awareness                        have widely variable outcomes.\n\n\n\n        Source: GAO\n\n       With the exception of the first stage, each maturity stage is\ncomposed of critical processes that must be implemented and\ninstitutionalized for the organization to satisfy the requirements of that\nstage. These critical processes are further broken down into key\npractices that describe the types of activities that an agency should be\nengaged in to successfully implement each critical process. An\norganization that has these critical processes in place is in a better\nposition to successfully invest in IT. The following graphic describes\nthe Framework\xe2\x80\x99s five stages and associated critical processes.\n\n\n\n\n                                             - 14 -\n\x0c      The ITIM Framework\xe2\x80\x99s Stages of Maturity with Critical\n                         Processes\n\n      M aturity S tages\n                                          C ritical Processes\n               Stage 5\n            Leveraging IT      Investm ent P rocess B enchm arking\n             for Strategic     IT-D riven S trategic B usiness C hange\n              O utcom es\n              Stage 4          P ost-Im plem entation R eview s and Feedback\n           Im proving the      Portfolio P erform ance E valuation and Im provem ent\n                               S ystem s and Technology Succession M anagem ent\n            Investm ent\n              Process\n                               A uthority A lignm ent of IT Investm ent B oards\n             Stage 3           Portfolio S election C riteria D efinition\n           D eveloping         Investm ent A nalysis\n           a C om plete        P ortfolio D evelopm ent\n       Investm ent Portfolio   P ortfolio P erform ance O versight\n          Stage 2\n        Building the           IT Investm ent B oard O peration\n        Investm ent            IT Project O versight\n        Foundation             IT A sset Tracking\n                               B usiness N eeds Identification for IT P rojects\n        Stage 1                P roposal S election\n       C reating\n      Investm ent              IT Spending w ithout D isciplined Investm ent\n      Aw areness               Processes\n\n      Source: GAO\n\n       As established by the Framework, each critical process contains\nfive core elements that indicate whether the implementation and\ninstitutionalization of a process can be effective and repeated. The\nfive core elements are:\n\n  \xe2\x80\xa2   Purpose: This element is the primary reason for engaging in\n      the critical process and states the desired outcome for the\n      critical process.\n\n  \xe2\x80\xa2   Organizational commitment: This element comprises\n      management actions that ensure that the critical process is\n      established and will endure. Key practices typically involve\n      establishing organizational policies and engaging senior\n      management sponsorship.\n\n  \xe2\x80\xa2   Prerequisites: These elements are the conditions that must\n      exist within an organization to successfully implement a critical\n      process. These conditions typically involve allocating resources,\n      establishing organizational structures, and providing training.\n\n\n\n                                   - 15 -\n\x0c  \xe2\x80\xa2   Activities: These elements are the key practices necessary to\n      implement a critical process. An activity occurs over time and\n      has recognizable results. Key practices typically involve\n      establishing procedures, performing and tracking the work, and\n      taking corrective actions as necessary.\n\n  \xe2\x80\xa2   Evidence of performance: This element comprises artifacts,\n      documents, or other evidence that supports a contention that\n      the key practices within a critical process have been or are being\n      implemented. This core element typically consists of the\n      collection and verification of physical, documentary, or\n      testimonial evidence and often involves reviews by objective\n      parties.\n\n      With the exception of the \xe2\x80\x9cpurpose\xe2\x80\x9d core element, each of the\nother core elements contains key practices. The key practices are the\nattributes and activities that contribute most to the effective\nimplementation and institutionalization of a critical process. The\nfollowing graphic summarizes the interrelationships of components in\nan ITIM critical process.\n\n\n\n\n                                 - 16 -\n\x0c                     Components of an ITIM Critical Process\n\n\n                                  Purpose\n                                  This is the primary reason for engaging in the critical process\n                                  and states the desired outcome for the critical process.\n\n\n\n\n  Prerequisites                             Activities                                     Evidence of\n  These are the conditions that must        These are the key practices                    Performance\n  exist within an organization to           necessary to implement a critical              These are artifacts, documents, or\n  successfully implement a critical         process. An activity occurs over time          other evidence that support a\n  process. This core element                and has recognizable results. Key              contention that the key practices\n  typically involves allocating             practices within this core element             within a critical process have or are\n  resources, establishing                   typically involve establishing                 being implemented. This core\n  organizational structures, and            procedures, performing and tracking            element typically consists of the\n  providing training.                       the work, and taking corrective                collection and verification of\n                                            actions as necessary.                          physical, documentary, or\n                                                                                           testimonial evidence and typically\n                                                                                           involves reviews by objective\n                                                                                           parties.\n\n\n\n                                Organizational Commitment\n                                These are management actions that ensure that the critical\n                                process is established and will endure. Key practices within\n                                this core element typically involve establishing\n                                organizational policies and engaging senior management\n                                sponsorship.\n\n\n\n\n       Source: GAO\n\n7. The DOJ\xe2\x80\x99s ITIM Guidance\n\n      In August 2001, the DOJ\xe2\x80\x99s Justice Management Division (JMD)\nissued the Guide to the Department of Justice Information Technology\nInvestment Management Process (Guide). In response to various\nregulations and guidelines issued in the last several years (including\nthe Clinger-Cohen Act, Executive Order 13011, and the\nOffice of Management and Budget (OMB) Circular A-130), the DOJ\nissued the Guide to fulfill its obligation and responsibility to make\nmeasurable improvements in mission performance and service delivery\nto the public through the strategic application of IT.\n\n      The Guide uses the select/control/evaluate methodology to\nimplement the strategic and performance directives of the\nClinger-Cohen Act and other statutory provisions affecting IT\ninvestments. The Guide is intended to promote a process that builds\non existing structures to provide maximum benefit across the entire\nDOJ and with other federal agencies. This process allows the DOJ to\nfocus IT management on the strategic missions of the DOJ. Further, it\n\n\n                                                         - 17 -\n\x0cpromotes an investment review process that drives budget formulation\nand execution for information systems, and restructures the way the\nDOJ performs its functions before investing in IT. In addition, this\nprocess provides the methods, structures, disciplines, and\nmanagement framework that govern the way IT is deployed\nthroughout the DOJ. The Guide applies to all IT projects from all DOJ\ncomponents.\n\n       The Guide requires each component to:\n\n   \xe2\x80\xa2   designate a component Chief Information Officer consistent with\n       the DOJ\xe2\x80\x99s ITIM policy;\n\n   \xe2\x80\xa2   establish an Executive Review Board that will approve the entire\n       component IT portfolio and oversee the decisions made about\n       specific investments; and\n\n   \xe2\x80\xa2   establish a component ITIM process that incorporates the DOJ\xe2\x80\x99s\n       ITIM process, but is customized to function within the\n       component\xe2\x80\x99s unique environment.\n\n     Further, by January 2002 each component was required to\nsubmit to the DOJ an ITIM plan incorporating the above stipulations.\n\n8. The FBI\xe2\x80\x99s Recent Efforts to Implement an ITIM Process\n\n      In an effort to improve its IT investment management practices\nand comply with DOJ and other statutory regulations, the FBI\ndeveloped the \xe2\x80\x9cITIM Model and Transition Plan\xe2\x80\x9d (Plan) with support\nfrom a contractor. The initial draft of the Plan was completed and\nsubmitted to JMD in January 2002. The FBI has retained this\ncontractor to assist in the ongoing implementation of the ITIM process.\nThe FBI estimates total costs for developing its ITIM process will be in\nexcess of $4 million through FY 2003.\n\n      The purpose of the Plan is to establish and define the FBI\xe2\x80\x99s\nStage Two25 methodology and build the foundation for enhanced IT\ninvestment management. It identifies the gaps between the FBI\xe2\x80\x99s\ncurrent IT investment processes and the required IT management\npractices for Stage Two maturity.\n\n\n       25\n        \xe2\x80\x9cStage Two\xe2\x80\x9d refers to Stage Two of the Framework, Building the IT\nInvestment Foundation.\n\n\n\n                                     - 18 -\n\x0c      The following excerpts from the FBI\xe2\x80\x99s Plan provide an overview\nof how the FBI\xe2\x80\x99s select, control, and evaluate processes for IT\ninvestment management are intended to operate upon\nimplementation.26\n\n       Select\n\n       In the Select phase, potential projects will be initiated by\n       the project sponsor via the development of a preliminary\n       feasibility analysis (concept paper), followed by the\n       development of a more-robust business case analyses\n       (OMB Exhibit 300). The project proposal package will be\n       submitted to the Technical Review Board27 to be assessed\n       for any technical risks and then submitted to the Project\n       Oversight Committee28 for a business review. The Project\n       Oversight Committee will assemble the multiple requests\n       and prioritize these requests against predefined selection\n       criteria. A \xe2\x80\x9ccandidate\xe2\x80\x9d fiscal project portfolio will then be\n       developed and presented to the Executive Review Board29\n       for final evaluation and approval, and ultimately for\n       submission to the fiscal budget process.\n\n       Control\n\n       In the Control phase, the current fiscal year IT portfolio\n       will be tracked by the functional project management\n       office and individual project teams. Monthly status reports\n       will be created and presented to the Project Oversight\n       Committee, who will work to mitigate any project related\n       risks. Projects with exceptions to the baseline plans will be\n       subsequently presented to the Executive Review Board for\n\n       26\n         See Appendices 2 and 3, respectively, for flowcharts on the Plan\xe2\x80\x99s control\nand evaluate processes.\n       27\n          According to the Plan, the Technical Review Board must be established to\nreview each proposed ITIM initiative for enterprise architecture compliance, IT\nsecurity compliance, and other technical risks.\n       28\n         According to the Plan, the Project Oversight Committee must be established\nto perform the program management and oversight duties of the ITIM process, such\nas making recommendations to the Executive Review Board on selecting IT proposals\nand disposing of IT projects.\n       29\n        According to the Plan, the Executive Review Board must be established to\nmake the final IT investment decisions.\n\n\n                                       - 19 -\n\x0c       decisions about budget, scope, timeline and/or projected\n       outcomes. During the control phase, a project will be able\n       to receive approval to: proceed \xe2\x80\x9cas is,\xe2\x80\x9d proceed with\n       modified funding levels and/or modified functionality, or be\n       terminated.\n\n       Evaluate\n\n       In the Evaluate phase, IT investments that are in the\n       operations and maintenance mode will be monitored by\n       the Executive Review Board to ensure that expected\n       benefits are being realized. Periodic program reviews will\n       be conducted, wherein each IT investment will be\n       evaluated against predefined performance metrics and\n       criteria. Based on the reviews, decisions will be made\n       about: future phases of existing projects; and the current\n       policies and procedures governing the entire IT investment\n       management, the systems development life-cycle, and\n       other related processes. Advocacy arguments (to modify\n       existing management practices and procedures) are also\n       constructed during this phase, if applicable.\n\n       JMD officially approved the FBI\xe2\x80\x99s Plan in May 2002, although\nofficials from the IRD told us that in February 2002 they received\nverbal approval to initiate their ITIM process.30 The May 2002\napproval letter states that the FBI ITIM process conforms to the\nguidelines defined by the GAO, OMB, and DOJ. Further, it states that\nthe Plan is clear and comprehensive in its statement of the ITIM policy\nand its definition of organizational roles, responsibilities, and\ndeliverables. Additional JMD comments, as well as our own\nindependent assessment of the Plan, are discussed later in this report.\n\n      The FBI started its ITIM process in February 2002 by appointing\nthe three oversight review boards discussed above (the Technical\nReview Board, the Project Oversight Committee, and the Executive\nReview Board). Also, in February 2002 the FBI held training seminars\nfor each division to introduce the concepts of the Plan. In March 2002,\nthe FBI began pilot testing the select phase of the Plan for FY 2004\nproposed IT project enhancements. In May 2002, the pilot test of the\n\n\n       30\n         JMD officials told us that the delay in providing written approval of the FBI\xe2\x80\x99s\nITIM process was because JMD did not have a Chief Information Officer early in\n2002.\n\n\n\n                                        - 20 -\n\x0cselect phase was completed and the ITIM contractor issued the, \xe2\x80\x9cPost\nImplementation Review: FBI ITIM Pilot.\xe2\x80\x9d\n\n      The Plan recognizes that as the FBI\xe2\x80\x99s ITIM process moves\nthrough the maturity stages, other key components of IT\ninfrastructure must evolve to optimize the IT investment function.\nThese components include an IT strategic plan, an enterprise\narchitecture framework, and project management. According to the\nFramework, an effective IT function will include these components and\nmature IT investment management processes are dependent on the\ncomponents being in place.\n\n\n\n\n                                - 21 -\n\x0c        OIG FINDINGS AND RECOMMENDATIONS\n\n1. The FBI\xe2\x80\x99s Management of IT Investments\n\n     The FBI is not effectively selecting, controlling, and\n     evaluating its IT investments because it has not fully\n     implemented any of the critical processes necessary for\n     successful IT investment management. In the past, the\n     FBI has not given sufficient attention to information\n     technology investment management. As a result, the FBI\n     continues to spend hundreds of millions of dollars on IT\n     projects without having adequate selection and project\n     management controls in place to ensure that IT projects\n     will meet intended goals. However, since the FBI\n     developed its ITIM Model and Transition Plan in\n     January 2002, it has focused more management attention\n     in this area and has made progress towards attaining a\n     basic IT investment management foundation. Much of the\n     progress has been in the \xe2\x80\x9cselect\xe2\x80\x9d phase of the Plan, which\n     was pilot tested in the Spring of 2002.\n\n     The ability of the FBI to completely implement the\n     \xe2\x80\x9ccontrol\xe2\x80\x9d and \xe2\x80\x9cevaluate\xe2\x80\x9d phases of the Plan, and achieve\n     mature IT investment processes that can lead to enhanced\n     mission performance, will require the FBI to increase its\n     efforts in: (1) fully developing and documenting its new\n     ITIM process; (2) requiring more input and participation\n     from ITIM managers and users; and (3) further developing\n     its project management and enterprise architecture\n     functions. While the FBI recognizes many of these needs\n     and has taken initial steps to address the needs, further\n     action in these areas is needed to ensure that IT projects\n     are developed within cost and schedule requirements, and\n     meet performance expectations. The Trilogy project\n     provides an example of how the non-implementation of\n     fundamental IT investment management practices can put\n     a project at risk of not delivering, within cost and schedule\n     requirements, what was promised.\n\nA. The FBI\xe2\x80\x99s Progress Toward Attaining a Basic IT\n   Investment Management Foundation\n\n      Although the FBI made measurable progress in improving its IT\ninvestment capability since it initiated a new ITIM process in early\n\n\n                                - 22 -\n\x0c2002, the FBI still lacks a complete foundation to build its IT\ninvestment maturity processes, and therefore is still in Stage One\nmaturity.31 In the past, the FBI has not given sufficient management\nattention to IT investments. Because of the lack of management\nattention in the past, the FBI failed to implement the critical processes\nnecessary to build an IT investment foundation. These critical\nprocesses include: (1) IT investment review board operation, (2) IT\nproject oversight, (3) IT system and project identification and tracking,\n(4) business needs identification for IT projects, and (5) IT proposal\nselection.\n\n(1) Importance of Attaining a Basic IT Investment\n    Management Foundation\n\n       The primary purpose for attaining a basic IT investment\nmanagement capability (Stage Two maturity) is to build the foundation\nfor repeatable, successful IT project-level investment control and\nselection processes. Effective control processes over IT projects\nensure that deviations from cost and schedule baselines can be\nidentified and corrected. Selection processes ensure that the FBI has\nan effective methodology for approving only IT projects that are\nconsistent with its needs and goals. According to the Framework, an\norganization can only achieve Stage Two maturity if it fully implements\nthe following five critical processes:\n\n       1. defining investment review board operations,\n\n       2. developing a basic process for selecting new IT\n          proposals,\n\n       3. developing project-level investment control processes,\n\n       4. identifying IT projects and systems, and\n\n       5. identifying the business needs for each IT project.\n\n       To implement these critical processes, the FBI must execute a\ntotal of 38 key practices as defined in the Framework, or have\nalternative practices in place that are designed to achieve the same\noutcome.\n\n       31\n         Stage One maturity is the lowest level of maturity designated by the GAO\nITIM Framework. According to the Framework, an organization is in Stage One\nmaturity when it has not fully implemented the five critical processes associated with\nStage Two maturity.\n\n\n                                       - 23 -\n\x0c       At the start of our audit in January 2002, FBI officials told us\nthat the Bureau was in the process of developing its new ITIM process.\nAlthough its ITIM process was still in the development stages, FBI\nofficials told us that the FBI was executing certain key practices from\nStage Two of the Framework. Additionally, the FBI officials said in\nMarch 2002 that they would pilot test ITIM processes pertaining to the\nselection of new IT proposals for the FY 2004 budget cycle. Further,\nthe Plan establishes the FBI\xe2\x80\x99s goal to fully attain Stage Two maturity\nfor the FY 2005 budget cycle that starts in March of 2003, thereby\nestablishing the foundation for enhanced investment capability.\n\n(2) Summary of the FBI\xe2\x80\x99s Progress Toward Attaining Stage\n    Two Maturity\n\n      Based on the FBI\xe2\x80\x99s responses to the self-assessment32 (and our\nvalidation of those responses), the FBI did not yet have in place any of\nthe five critical processes associated with Stage Two maturity.\nHowever, since the FBI began pilot testing the select phase of its Plan\nin March 2002, it has made progress towards implementing the 38 key\npractices comprising the five critical processes - particularly in the area\nof selecting new proposals for IT projects. Specifically, at the\nbeginning of our audit in January 2002, the FBI was only executing\n4 of the 38 required key practices; however, as of June 2002, the FBI\nwas executing 14 of the key practices. The following table provides a\nsummary of the FBI\xe2\x80\x99s progress toward implementing the key practices\nrequired for each critical process.\n\n\n\n\n      32\n        To facilitate our assessment of the FBI\xe2\x80\x99s IT investment maturity, the FBI\ncompleted a self-assessment regarding the key practices from the Framework that it\nwas executing, or planning to execute, upon implementation of its new ITIM process.\n\n\n                                      - 24 -\n\x0c         FBI Progress Toward Attaining Stage Two Maturity\n\n                                                        Key         Key\n                                                     Practices   Practices\n                       Status of                     Executed    Executed\n                     Implementing        Total Key    Prior to     as of\n   Critical             Critical         Practices     March       June\n   Process             Process           Required      2002        2002\n\n1. IT Investment\n   Board\n   Operation         Not Implemented            6        0           2\n\n2. IT Project\n   Oversight         Not Implemented            11       1           2\n\n3. IT Project\n   Identification    Not Implemented            7        1           2\n4. Business\n   Needs\n   Identification\n   for IT Projects   Not Implemented            8        2           3\n\n\n                     Not Yet\n                     Implemented,\n5. Proposal          but Substantial\n   Selection         Progress Made              6        0           5\n\nTotal                                           38      4           14\n\n        Source: OIG analyses\n\n       For the remainder of section A of this finding, we provide\ndetailed narratives of the FBI\xe2\x80\x99s progress toward implementing each of\nthe five critical processes. We also provide specific recommendations\nfor expediting implementation of the critical processes and establishing\nmore timely Stage Two maturity.\n\n       Each critical process contains core elements that provide the\ncommon framework for the process. For example, the organizational\ncommitment element addresses the management actions that ensure\nthe critical process is established and will endure; the prerequisites\nelement addresses the conditions that must exist within an\norganization to successfully implement a critical process; and the\nactivities element consists of the key practices necessary to implement\na critical process. The key practices are the tasks within a core\n\n\n                                       - 25 -\n\x0celement that must be performed by an organization to effectively\nimplement and institutionalize a critical process.\n\n(3) Critical Process #1: IT Investment Review Board Operation\n\n      Depending on its size, structure, and culture, an organization\nmay have more than one IT investment review board. The purpose of\nsuch boards is to ensure that basic policies for selecting, controlling,\nand evaluating IT investments are developed, institutionalized, and\nconsistently followed throughout the organization. To establish a fully\nfunctioning investment review board, the FBI must execute the\nfollowing six key practices:\n\n      1. create an IT investment process guide containing policies\n         and procedures to direct board operations;\n\n      2. require executives and line managers to support and\n         carry out board decisions;\n\n      3. allocate adequate resources for operating each board;\n\n      4. define board membership, policies and procedures, roles and\n         responsibilities;\n\n      5. create and define board membership to integrate both IT and\n         business knowledge; and\n\n      6. require the IT investment boards to follow the written\n         policies and procedures as defined in the process guide.\n\n     The following table summarizes the FBI\xe2\x80\x99s progress toward\nimplementing fully functioning investment review boards.\n\n\n\n\n                                 - 26 -\n\x0c      FBI Progress Toward Implementing Fully Functioning\n        Investment Review Boards (Critical Process #1)\n\n                                               Key Practice     Key Practice\n                                                Execution        Execution\n                                              Status Prior to   Status as of\n             Key Practice                      March 2002        June 2002\n Organizational Commitment 1. An\n organization-specific IT investment\n process guide is created to direct each\n board\xe2\x80\x99s operations.                          Not Executed      Executed\n Organizational Commitment 2.\n Organization executives and line\n managers support and carry out IT\n investment board decisions.                  Not Executed      Not Executed\n Prerequisite 1. Adequate resources are\n provided for operating each IT\n investment board.                            Not Executed      Not Executed\n Prerequisite 2. Board members\n understand the investment board\xe2\x80\x99s\n policies and procedures and exhibit core\n competencies in using the IT investment\n approach via training, education, or\n experience.                                  Not Executed      Not Executed\n Activity 1. Each IT investment board is\n created and defined with board\n membership integrating both IT and\n business knowledge.                          Not Executed      Executed\n Activity 2. Each IT investment board\n operates according to written policies and\n procedures in the organization-specific\n IT investment process guide.                 Not Executed      Not Executed\n\n      Source: OIG analyses\n\na. The FBI Has Executed Two of the Six Key Practices\n   Associated with IT Investment Board Operation\n\n       We determined that the FBI executed two of the six key\npractices associated with implementing this critical process.\nSpecifically, the FBI created an IT investment process guide containing\npolicies and procedures to direct board operations (Organizational\nCommitment 1), and it created and defined three investment review\nboards integrating both IT and business knowledge (Activity 1).\n\n\n\n\n                                       - 27 -\n\x0c      Regarding the IT investment process guide (Organizational\nCommitment 1), in January 2002 the FBI issued its IT Investment\nModel and Transition Plan33 containing required guide elements\nprescribed by the Framework including:\n\n   \xe2\x80\xa2   specifics about the roles of key people within the FBI investment\n       process;\n\n   \xe2\x80\xa2   an outline of the significant events and decision points within the\n       processes;\n\n   \xe2\x80\xa2   an identification of the external and environmental factors that\n       will influence the processes; and\n\n   \xe2\x80\xa2   the manner in which IT investment-related processes will be\n       coordinated with other organizational plans and processes.\n\n      Regarding the investment review boards (Activity 1), in\nJune 2002 the Director approved board charters for each of the three\ninvestment review boards (the Executive Review Board, the\nProject Oversight Committee, and the Technical Review Board) that\ndefined board membership and the responsibilities of board members.\n\n   \xe2\x80\xa2   The Executive Review Board is comprised of the FBI Director (as\n       Chairperson), the Chief Information Officer, the FBI\xe2\x80\x99s four\n       Executive Assistant Directors (EADs),34 a Special Agent in\n       Charge committee member, the Assistant Director of the Finance\n       Division, and the Strategic Planning Manager.\n\n       This Board\xe2\x80\x99s primary responsibility will be to evaluate and\n       approve projects in the candidate fiscal project portfolios and\n       forward approved projects to the fiscal budget process. This\n       Board will also determine whether problematic projects should\n       proceed \xe2\x80\x9cas is,\xe2\x80\x9d proceed with modified funding levels and/or\n       modified functionality, or be terminated.\n\n   \xe2\x80\xa2   The Project Oversight Committee includes: the Chief\n       Information Officer (as Chairperson), the Assistant Director from\n\n       33\n         The Plan was issued in draft form because it is the intent of the FBI to\nmodify and supplement the Plan as the ITIM process is being pilot tested.\n       34\n         The EADs are for: (1) Criminal Investigations, (2) Counterterrorism and\nCounterintelligence, (3) Law Enforcement Services, and (4) Administration.\n\n\n\n                                        - 28 -\n\x0c       each division, a member from the Office of General Counsel, the\n       Chief Contracting Officer, and the Strategic Planning Manager.\n\n       Once the Technical Review Board completes its assessment, the\n       Project Review Board then performs a business review of the\n       proposed projects, prioritizes these proposals against predefined\n       selection criteria, and develops a \xe2\x80\x9ccandidate\xe2\x80\x9d fiscal project\n       portfolio for presentation to the Executive Review Board. The\n       committee also reviews monthly status reports for ongoing\n       projects to mitigate project related risks. Projects with\n       exceptions to baseline plans will be presented to the Executive\n       Review Board for corrective action.\n\n   \xe2\x80\xa2   The Technical Review Board is comprised of: the Section Chief,\n       Information Resources Management Office (as Chairperson); the\n       Assistant Director of IRD; the IRD\xe2\x80\x99s section chiefs; and\n       representatives from the Laboratory Division, CJIS Division, and\n       Security Division. This board\xe2\x80\x99s primary responsibility will be to\n       assess technical risks for proposed projects.\n\n      The boards actually began functioning as early as March 2002, in\nconjunction with the FBI\xe2\x80\x99s pilot testing of ITIM processes pertaining to\nthe selection of new IT proposals for the FY 2004 budget cycle.\nAlthough board membership consists mostly of FBI managers who do\nnot have extensive IT knowledge,35 the use of subject matter experts\nand reliance on the Enterprise Architecture Technical Committee36 can\ncompensate for a lack of IT knowledge.\n\nb. The FBI Must Execute Four of the Six Key Practices\n   Associated with IT Investment Board Operation\n\n      Although progress has been made, the FBI does not have fully\nfunctioning IT investment boards because it still must execute four of\nthe six key practices associated with this critical process. Specifically,\nthe FBI must ensure that:\n\n\n\n       35\n         Based on our interviews with FBI managers from the IRD, CJIS, and\nInspection Divisions, most of the members on the investment boards are former agents\nwith no specialized expertise, training, or competencies in IT.\n       36\n          The Enterprise Architecture Technical Committee was created to provide\ntechnical expertise to the Technical Review Board. Members of this committee are\ncomprised of IT specialists familiar with enterprise architecture, configuration\nmanagement, and quality assurance.\n\n\n                                      - 29 -\n\x0c   \xe2\x80\xa2   organization executives and line managers support and carry out\n       IT investment board decisions (Organizational Commitment 2);\n\n   \xe2\x80\xa2   adequate resources are provided for operating each IT\n       investment board (Prerequisite 1);\n\n   \xe2\x80\xa2   board members understand the investment board\xe2\x80\x99s policies and\n       procedures and exhibit core competencies in using the IT\n       investment approach via training, education, or experience\n       (Prerequisite 2); and\n\n   \xe2\x80\xa2   each IT investment board operates according to written policies\n       and procedures contained in the investment process guide\n       (Activity 2).\n\n       Regarding Organizational Commitment 2 and Activity 2, the\napproved charters for the investment review boards have been in\neffect since June 2002. Consequently, the FBI did not have sufficient\ndata for us to assess whether managers and support staff effectively\ncarried out board decisions and whether the boards operated according\nto the written policies and procedures contained in the Plan and board\ncharters.\n\n       Regarding Prerequisites 1 and 2, in our judgment the FBI did not\nadequately plan sufficient time to ensure the IT investment boards\noperated effectively. Specifically, the FBI did not provide ample time\nbetween the initial draft of its Plan (January 25, 2002) and the\nMarch 2002 pilot testing of the select phase to adequately prepare and\ntrain IT board members. The DOJ originally instructed each\ncomponent to begin developing an ITIM process in January 2001.37 In\nJune 2001, the DOJ required each component to complete and submit\nto JMD an ITIM process and transition plan by the end of 2001.38 The\nDOJ also required each component to initiate the ITIM process for the\nFY 2004 budget cycle, which for the FBI began in March 2002.\nConsequently, the FBI had only one full month between the issuance\nof the Plan in late January 2002 and the initiation of the select phase\nof its ITIM process in early March 2002.\n\n\n       37\n        This instruction originated from DOJ Order 2880.1A, policy on Information\nTechnology Investment Management, issued in January 2001.\n       38\n          This instruction originated from a DOJ memorandum dated\nJune 28, 2001. This memorandum required each component to have an ITIM\ntransition plan that will allow implementation for the FY 2004 budget cycle.\n\n\n                                      - 30 -\n\x0c       The ITIM Program Office Manager told us that the former FBI\nChief Financial Officer would not approve the use of a contractor to\nassist in the development of the ITIM process earlier in the year.\nAccording to the former Chief Financial Officer, she had concerns that\nfederal contracting regulations prohibited the FBI from using a\ncontractor to perform a service that involves budget planning.\nHowever, following her transfer to another division in December 2001,\nthe Information Resources Management Section received authorization\nto hire a contractor to assist with the development and implementation\nof the ITIM process.\n\n       We believe that without an ITIM contractor the FBI still had the\nopportunity to begin planning its ITIM process (including the training\nof board members) early in 2001. In fact, had the FBI better\ncoordinated other ongoing efforts to develop processes that\ncomplement IT investment management, the FBI could have made\nsignificant strides in initiating its ITIM process during 2001 without\nexpending additional resources. As discussed in section B of this\nfinding, the FBI did not sufficiently incorporate (a) its enterprise\narchitecture function (which was under development in 2001) and\n(b) the Project Management Process (issued in draft form in\nOctober 2001) into the development of its ITIM process. Enterprise\narchitecture and project management not only complement the ITIM\nprocess, but also facilitate the maturation of ITIM. As discussed in\nsection B of this finding, the FBI did not effectively utilize its internal\nresources when it developed its ITIM process through the use of a\ncontractor because the FBI did not adequately consider the\ncomplementary, and potentially duplicative efforts that were already\nunderway.\n\n      Not providing ample time resulted in inadequate training of\nboard members and minimal preparation time to develop IT proposals.\nFor example, Technical Review Board members had only 3 business\ndays to review over 50 IT proposals prior to their first board meeting.\nFBI officials recognized these implementation issues in the Post-\nImplementation Review of the select phase pilot test.\n\n      In preparing board members for their duties, the FBI has thus\nfar only provided one overview training session for board members\nand other users in the ITIM process. Additionally, while FBI officials\nhave told us more ITIM training will be forthcoming, they have not\nprovided us with any specific training plans for the future. Further,\nmembers of the Technical Review Board told us that board members,\nespecially the Assistant Directors and EADs, do not have extensive\n\n\n                                   - 31 -\n\x0cknowledge in managing IT and must rely heavily on knowledgeable\nstaff and other subject matter experts.\n\n       For the ITIM process to become institutionalized, the FBI must\nhave a better training program. According to the Framework, board\nmembers should understand the board\xe2\x80\x99s policies, roles, rules, and\nactivities and be capable of carrying out their responsibilities\ncompetently. Education and training for members is needed in areas\nsuch as economic evaluation techniques, capital budgeting methods,\nand performance measurement strategies. The FBI\xe2\x80\x99s Post-\nImplementation Review of the select phase pilot testing recommends\n\xe2\x80\x9crole-specific\xe2\x80\x9d training sessions for the following ITIM roles: (1) ITIM\nLiaison representatives,39 (2) Executive Review Board members,\n(3) Program Oversight Review Board members, (4) Technical Review\nBoard members, and (5) ITIM stakeholders. It further recommends\ncontinuation of the overview training sessions previously provided,\nplus training for ITIM specific tools, such as the concept paper\n(containing the preliminary feasibility analysis), the OMB Exhibit 300\n(containing the business case analyses), and IT proposal summaries.\n\n       FBI officials told us that time constraints were the main cause for\nnot executing the four key practices identified above. As a result,\nthere was insufficient time to introduce ITIM concepts to board\nmembers and other ITIM users. As mentioned above, the DOJ\nrequired each component to develop and begin implementation of an\nITIM process for the FY 2004 budget cycle, which for the FBI begins in\nMarch 2002. Although FBI officials were aware of the requirement to\ninitiate and adopt an ITIM process in January 2001, it was not until\nDecember 2001 that it began to develop its ITIM process. Had the FBI\ninitiated more timely action to develop its ITIM process, it would have\nhad significantly more time to prepare and train ITIM board members\nand other users. Without sufficient training and allocation of time to\nperform required tasks, the investment review boards cannot carry out\ntheir responsibilities to effectively select, control and evaluate projects.\n\n\n\n\n       39\n          The FBI\xe2\x80\x99s ITIM process defines the ITIM Liaison Representative as an\nindividual from a particular division/business unit that facilitates workflow\nand communications between that division/business unit and the ITIM\nprogram office.\n\n\n\n                                       - 32 -\n\x0cc. Recommendations\n\n          We recommend that the Director of the FBI:\n\n1.       Require the ITIM Program Office to plan for and take more timely\n         action to allow board members and other ITIM users to execute\n         assigned responsibilities competently (Prerequisite 1).\n\n2.       Ensure that all members of IT investment boards receive sufficient\n         education and training to execute assigned responsibilities\n         effectively. We suggest that for each of the investment boards the\n         FBI: (a) identify the core competencies required of members in\n         using the IT investment approach, and (b) develop appropriate\n         education and training development plans to ensure members\n         acquire the required core competencies (Prerequisite 2).\n\n(4) Critical Process #2: IT Project Oversight\n\n       The purpose of this critical process is to ensure that the FBI\xe2\x80\x99s\ninvestment review boards and project development teams provide\neffective oversight for its IT projects throughout all phases of the\nproject life-cycle. IT investment boards generally review each\nproject\xe2\x80\x99s progress toward predicted cost and schedule expectations as\nwell as anticipated benefits and risk exposure. The board members\nalso employ early warning systems that enable them to take corrective\nactions at the first signs of cost, schedule, and performance slippages.\nIndividual project development teams are responsible for meeting\nproject milestones within the expected cost and schedule parameters.\n\n          Effective project oversight requires, among other things:\n\n     \xe2\x80\xa2    having written policies and procedures for project management;\n\n     \xe2\x80\xa2    developing and maintaining an approved project management\n          plan for each project;\n\n     \xe2\x80\xa2    having written policies and procedures for oversight of IT\n          projects;\n\n     \xe2\x80\xa2    making up-to-date cost and schedule data for projects available\n          to the investment review boards;\n\n\n\n\n                                     - 33 -\n\x0c   \xe2\x80\xa2   reviewing each project\xe2\x80\x99s performance by comparing actual cost\n       and schedule data to expectations regularly; and\n\n   \xe2\x80\xa2   ensuring that corrective actions for each under-performing\n       project are defined, implemented, and tracked until the desired\n       outcome is achieved.\n\n       We concluded that the FBI is not effectively overseeing its\nongoing IT projects. While the FBI maintained project management\nguidance and had three IT investment review boards in operation since\nMarch 2002, these activities have not adequately supported the FBI\xe2\x80\x99s\nIT project oversight function. Our testing of the key practices\nassociated with this critical process indicates that the FBI is executing\nonly two out of the eleven key practices required to implement this\ncritical process. The following table summarizes FBI progress toward\nimplementing IT project oversight.\n\n\n\n\n                                 - 34 -\n\x0c   FBI Progress Toward Implementing IT Project Oversight\n                   (Critical Process #2)\n\n                                           Key Practice     Key Practice\n                                            Execution        Execution\n                                          Status Prior to   Status as of\n           Key Practice                    March 2002        June 2002\nOrganizational Commitment 1. The\norganization has written policies and\nprocedures for project management.        Executed          Executed\nOrganizational Commitment 2. The\norganization has written policies and\nprocedures for management oversight\nof IT projects.                           Not Executed      Not Executed\nPrerequisite 1. Adequate resources\nare provided to assist the boards in\noverseeing IT projects.                   Not Executed      Not Executed\nPrerequisite 2. Each IT project has\nand maintains an approved project\nmanagement plan that includes cost\nand schedule controls.                    Not Executed      Not Executed\nPrerequisite 3. An IT investment\nreview board is operating.                Not Executed      Executed\nPrerequisite 4. Information from the\nIT asset inventory is used by the IT\ninvestment board as applicable.           Not Executed      Not Executed\nActivity 1. Each project\'s up-to-date\ncost and schedule data are provided to\nthe appropriate IT investment board.      Not Executed      Not Executed\nActivity 2. Using established criteria,\nthe IT investment board oversees each\nIT project\'s performance regularly by\ncomparing actual cost and schedule\ndata to expectations.                     Not Executed      Not Executed\nActivity 3. The IT investment board\nperforms special reviews of projects\nthat have not met predetermined\nperformance standards.                    Not Executed      Not Executed\nActivity 4. Appropriate corrective\nactions for each under-performing\nproject are defined, documented, and\nagreed to by the IT investment board\nand the project manager.                  Not Executed      Not Executed\nActivity 5. Corrective actions are\nimplemented and tracked until the\ndesired outcome is achieved.              Not Executed      Not Executed\n\n  Source: OIG analyses\n\n\n\n\n                                    - 35 -\n\x0ca. The FBI Has Executed Two of the Eleven Key Practices\n   Associated with IT Project Oversight\n\n       While the FBI has project management guidance (and is\ntherefore executing the key practice relating to the existence of project\nmanagement methodology), the guidance is not being followed on a\nconsistent basis. In fact, depending on whom we talked to, we\nobtained different answers as to which document represented the FBI\xe2\x80\x99s\nofficial project management guidance.\n\n      For example, although IRD managers were aware that the DOJ\xe2\x80\x99s\nSystem Development Life-Cycle is the FBI\xe2\x80\x99s official project\nmanagement methodology, they acknowledged that it is not\nconsistently applied. Laboratory Division management officials told us\nthat they do not follow the DOJ\xe2\x80\x99s System Development Life-Cycle\nmethodology, but rather have adopted their own project management\nsystem based on one used at the Department of Defense because it\nbetter meets their needs. CJIS Division management officials told us\nthat although its Contract Administration Office is responsible for\nproject management functions, they were not following any specific\nproject methodology.\n\n      Other FBI personnel from the Information Resources\nManagement Section told us the Project Management Process,\ndeveloped by the FBI\xe2\x80\x99s Inspection Division, was the FBI\xe2\x80\x99s project\nmanagement guidance. However, Inspection Division personnel\nindicated to us that the Project Management Process was still pending\napproval from the Director, as of June 2002. As a result, there\nappeared to be confusion among FBI officials as to what the official\nproject management guidance was. As of June 2002, the Project\nManagement Process had not been approved, nor was it being used to\nmanage IT projects.\n\n      As previously discussed in the prior report section pertaining to\nthe investment review board critical process, the FBI established three\nIT investment review boards in March 2002 (the Executive Review\nBoard, the Project Oversight Committee, and the Technical Review\nBoard). Although the investment review boards are operating, the\nboards have not yet been involved in project oversight. As the ITIM\nprocess continues to evolve, project oversight by these boards should\nincrease accordingly.\n\n\n\n\n                                 - 36 -\n\x0cb. The FBI Must Execute Nine of the Eleven Key Practices\n   Associated with IT Project Oversight\n\n      Based on our analyses, the FBI does not have effective IT\nproject oversight because it has not yet executed nine out of the\neleven key practices associated with this critical process. Specifically,\nthe FBI must ensure that:\n\n   \xe2\x80\xa2   written policies and procedures are developed for management\n       oversight of IT projects (Organizational Commitment 2);\n\n   \xe2\x80\xa2   adequate resources are provided to assist the investment boards\n       in overseeing IT projects (Prerequisite 1);\n\n   \xe2\x80\xa2   an approved project management plan is prepared for each IT\n       project that includes cost and schedule controls (Prerequisite 2);\n\n   \xe2\x80\xa2   information from the IT asset inventory is used by the IT\n       investment boards as applicable (Prerequisite 4);\n\n   \xe2\x80\xa2   each project\'s up-to-date cost and schedule data are provided to\n       the appropriate IT investment board (Activity 1);\n\n   \xe2\x80\xa2   using established criteria, the IT investment boards oversee each\n       IT project\'s performance regularly by comparing actual cost and\n       schedule data to expectations (Activity 2);\n\n   \xe2\x80\xa2   the IT investment boards perform special reviews of projects\n       that have not met predetermined performance standards\n       (Activity 3);\n\n   \xe2\x80\xa2   appropriate corrective actions for each under-performing project\n       are defined, documented, and agreed to by the IT investment\n       boards and the project manager (Activity 4); and\n\n   \xe2\x80\xa2   corrective actions are implemented and tracked until the desired\n       outcome is achieved (Activity 5).\n\n      Regarding Organizational Commitment 2, the FBI has not\ndeveloped written policies and procedures for management oversight\nof IT projects. While the Plan provides a conceptual basis for board\noversight of IT projects and the board charters define the boards\xe2\x80\x99\nresponsibilities, the FBI does not have the specific policies and\nprocedures in place for overseeing and controlling projects. FBI\n\n\n                                  - 37 -\n\x0cofficials have acknowledged to us that the Plan was never intended to\nrepresent the complete and final policies and procedures for\nmanagement oversight of IT projects. The Plan states that it is a fluid\ndocument that will need to be modified and supplemented as the pilot\ntest is performed. As a result, FBI officials recognize that additional\npolicies and procedures must be developed. As of June 2002, FBI\nofficials have told us they are in the process of developing these\nspecific policies and procedures for the control phase of the ITIM pilot\ntest.\n\n      Regarding Prerequisite 1 (providing adequate resources to the\nboards), we concluded that this key practice has not been executed\nbecause as of June 2002, the FBI did not have a functioning project\nmanagement office to assist the boards in overseeing IT projects. The\nPlan calls for a functioning project management office to assist the\nboards, especially the Project Oversight Committee, and consequently\nis a necessary resource for IT project oversight. As of June 2002, the\nFBI has not yet utilized its project management function to assist the\nProject Oversight Committee in IT investment decision-making.\n\n       The functioning project management office represents a critical\nresource to the Project Oversight Committee and thus to IT project\noversight. In our judgment, the functioning project management\noffice needs to have jurisdiction over IT projects throughout the\nBureau, rather than limit its responsibilities to division-specific\nprojects. Until June 2002, the FBI lacked a functioning project\nmanagement office that had jurisdiction over IT projects throughout\nthe Bureau. Rather than having a centralized project management\noffice, independent of individual divisions, the FBI maintained three\nseparate division-level project management offices to manage IT\nprojects. These three separate project management functions were\nmaintained in the IRD, CJIS, and Laboratory Divisions, contributing to\ninefficiencies in project coordination and the risk of \xe2\x80\x9cstove piping\xe2\x80\x9d\nprojects. Because of its importance in supporting the ITIM process,\nthe subject of establishing and maintaining a centralized project\nmanagement office is further discussed later in this report.\n\n      Regarding Prerequisite 2, we determined that each IT project\ndoes not have an approved project management plan that includes\ncost and schedule controls. Personnel from the IRD project\nmanagement office told us that generally IT projects with high visibility\nhave project management plans that include cost and schedule\ncontrols. However, other lower visibility projects have less rigid\ncontrols in place. This condition developed because the IRD project\n\n\n                                 - 38 -\n\x0cmanagement office did not uniformly enforce the development of\nproject management plans by all IT project managers. In our\njudgment, projects under the IRD\xe2\x80\x99s discretion have not been\nadequately controlled. Although personnel from the CJIS and\nLaboratory Divisions indicated that IT projects under their respective\ndivisions did have management plans with cost and schedule controls,\nwithout a functioning board that approves and monitors these project\nmanagement plans FBI managers have no assurance that IT projects\nare effectively managed in accordance with uniform standards.\n\n      Regarding Prerequisite 4, the FBI has not yet developed an IT\nasset inventory; consequently, the FBI\xe2\x80\x99s investment review boards are\nnot aware of all the IT projects and resources for which the boards are\nresponsible. FBI managers told us they were in the process of\ndeveloping an IT asset inventory. However, at the time of our audit\nthey were unable to provide an estimated date for completing the\ninventory. Unless the investment review board members are fully\ncognizant of the IT projects and resources for which they are\nresponsible, the boards cannot exercise effective oversight of ongoing\nIT projects. Additional details pertaining to the FBI\xe2\x80\x99s plans to finalize\nthe IT inventory are provided later in this report.\n\n       Finally, since the IT investment review boards were not involved\nin overseeing IT projects as of June 2002, we concluded that none of\nthe five remaining key practices activities have been executed. These\nfive key practices are the basic activities that investment review\nboards must implement to effectively oversee IT projects during the\ncontrol phase. The FBI provided us documentation indicating that the\nProject Oversight Committee (the primary IT investment review board\nresponsible for overseeing IT projects) met in June 2002 to discuss the\nFBI\xe2\x80\x99s intent to pilot test the control phase of the Plan by September\n2002. The documentation stated that the FBI was still working on\ndesigning the specific procedures associated with the control phase,\nincluding integrating the ITIM process with the project management\noffice. Additionally, the FBI has only provided us with summary\ninformation on when and how the control phase of the ITIM process\nwill be rolled out. The information lacks specific details needed to\neffectively implement this critical process.\n\n      FBI personnel told us that the lack of established IT investment\nreview boards (prior to March 2002) was the main cause for ineffective\nproject oversight. Additionally, they stated that the control phase of\nthe ITIM process would be pilot tested by September 2002. However,\nthe FBI has not been able to provide us with a specific timeline as to:\n\n\n                                 - 39 -\n\x0c(1) how the pilot test will be executed, and (2) details as to how the\nITIM process will interface with a project management methodology.\nThese issues are further discussed in Section B of this finding.\n\n       Without effective oversight of IT projects, FBI officials do not\nhave adequate assurance that IT projects are being developed on\nschedule and within established budgets. As described in the following\nparagraphs, the lack of effective IT project oversight has contributed\nto the FBI\xe2\x80\x99s problems in managing IT projects, including a lack of\naccountability for cost and schedule overruns, a lack of consideration\nfor full life-cycle costs, and lost credibility with Congress.\n\n       According to a former Chief Information Officer at the FBI, the\nlack of effective oversight of IT projects (as a result of not having IT\ninvestment review boards and a centralized project management\noffice) have prevented IT project managers from being held\naccountable for cost and schedule overruns and the ultimate\nperformance of projects. For example, the former Chief Information\nOfficer told us that the CJIS Division completed the Integrated\nAutomated Fingerprint Identification System and the National Crime\nInformation Center 2000 years behind schedule and millions of dollars\nover budget. He also told us that management changes in the\nCJIS Division have not occurred, despite these overruns.\n\n      Senior FBI officials also told us that the Bureau\xe2\x80\x99s budget\nformulation process focuses only on the acquisition costs for IT\nprojects and not the full life-cycle costs, especially operations and\nmaintenance costs. For example, an assessment performed by the\nFBI\xe2\x80\x99s Inspection Division on the Trilogy project40 noted that the life-\ncycle cost estimate is inadequate and only focuses on the term of the\ncontract, not the life of the project. FBI personnel told us that a lack\nof consideration for full project costs is not limited to Trilogy, but also\napplies to other IT projects. Without accountability for significant\ndeviations from project baselines, there is a lack of incentives for\nproject managers to adequately control and evaluate projects.\n\n      According to FBI officials, the FBI\xe2\x80\x99s inability to effectively\ncomplete IT projects within budget and schedule reduced the FBI\xe2\x80\x99s\ncredibility in the eyes of Congress. The lack of credibility contributed\nto delays in the FBI receiving Congressional funding to upgrade its IT\ninfrastructure. This subject, along with how Trilogy may be adversely\naffected because of uncertainties in determining projected costs and\n\n      40\n           The Trilogy project is discussed in greater detail in section C of this finding.\n\n\n                                          - 40 -\n\x0cscheduled completion dates for project milestones, is further discussed\nin section C of this finding.\n\nc. Recommendations\n\n      We recommend that the Director of the FBI ensure:\n\n3. Official project management guidance is consistently followed by all\n   FBI IT project managers.\n\n4. Written policies and procedures are developed for management\n   oversight of IT projects for use by the investment review boards\n   (Organizational Commitment 2).\n\n5. IT Investment Review Boards are supported by a centralized\n   project management office that operates in accordance with ITIM\n   policies and procedures (Prerequisite 1).\n\n6. Each IT project has a project management plan, approved by the\n   Project Oversight Committee, that includes cost and schedule\n   controls (Prerequisite 2).\n\n7. Information being developed in the IT asset inventory is made\n   available to, and used by, the boards (Prerequisite 4).\n\n8. Execution of the five key practices consisting of the activities\n   necessary for the investment review boards to maintain effective\n   oversight of IT projects during the critical control phase. These\n   five key practices consist of:\n\n  \xe2\x80\xa2   Providing each project\'s up-to-date cost and schedule data to the\n      appropriate IT investment board (Activity 1).\n\n  \xe2\x80\xa2   Establishing criteria for the boards to review each IT project\xe2\x80\x99s\n      performance by comparing actual cost and schedule data to\n      expectations (Activity 2).\n\n  \xe2\x80\xa2   Performing special reviews of projects that have not met\n      predetermined performance standards (Activity 3).\n\n  \xe2\x80\xa2   Defining, documenting, and agreeing to corrective actions for\n      each under-performing project by the appropriate IT investment\n      board and the project manager (Activity 4).\n\n\n\n                                 - 41 -\n\x0c   \xe2\x80\xa2   Tracking and implementing corrective actions until the desired\n       outcome is achieved (Activity 5).\n\n(5) Critical Process #3: IT Project and System Identification\n\n       For the FBI to make effective IT investment decisions, it must\nhave at its disposal information about existing IT investments as well\nas the proposed investments being considered. The purpose of this\ncritical process is to provide the IT investment boards the information\nrequired to fully evaluate the impacts and opportunities created by\nboth the proposed and current IT investments. The key practices of\nthis process require the FBI to identify and track the IT projects and\nsystems within the organization to create a comprehensive inventory.\nAccording to the Framework, effective identification of IT projects and\nsystems requires:\n\n   \xe2\x80\xa2   identifying specific information about each IT project and system\n       in an inventory, according to written procedures;\n\n   \xe2\x80\xa2   updating information in the inventory as changes to projects and\n       systems occur;\n\n   \xe2\x80\xa2   making information from the inventory available to users as\n       needed; and\n\n   \xe2\x80\xa2   assigning responsibility for managing the IT system identification\n       process.\n\n       While the FBI has taken steps to identify its IT projects and\nsystems in an IT asset inventory, it still does not have a complete IT\nasset inventory that is being using by the IT investment review boards\nfor investment management purposes. As part of an enterprise\narchitecture data repository, the FBI is developing a comprehensive\ninventory of its IT projects and systems. In addition, FBI officials have\ntold us that the enterprise architecture office is primarily responsible\nfor developing and maintaining the data repository. However, the data\nrepository has not been completed, nor have board members used its\ncontents during the select phase of the ITIM process that took place\nduring the Spring of 2002. The FBI\xe2\x80\x99s enterprise architecture function\nis further discussed in section B of this finding. The following table\nsummarizes the key practice ratings for the IT project and system\nidentification critical process.\n\n\n\n\n                                  - 42 -\n\x0c   FBI Progress Toward Identifying IT Projects and Systems\n                    (Critical Process #3)\n\n                                            Key Practice      Key Practice\n                                             Execution         Execution\n                                           Status Prior to    Status as of\n           Key Practice                     March 2002         June 2002\nOrganizational Commitment 1.\nThe organization has written policies\nand procedures for identifying its IT\nprojects and systems and collecting an\ninventory that includes information\nabout the IT projects and systems\nthat is relevant to the investment\nmanagement process.                        Executed          Executed\nOrganizational Commitment 2.\nAn official is assigned responsibility\nfor managing the IT project and\nsystem identification process and\nensuring the inventory meets the\nneeds of the investment management\nprocess.                                   Not Executed      Executed\nPrerequisite 1. Adequate resources\nare provided for identifying IT projects\nand systems and collecting relevant\ninformation into an inventory.             Not Executed      Not Executed\nActivity 1. The organization\'s IT\nprojects and systems are identified\nand specific information about these\nprojects is collected in an inventory.     Not Executed      Not Executed\nActivity 2. Changes to IT projects\n and systems are identified and\n changed information is collected in the\n inventory.                                Not Executed      Not Executed\nActivity 3. Information from the\n inventory is available on demand to\n decision-makers and other affected\n parties.                                  Not Executed      Not Executed\nActivity 4. The IT project and system\n inventory and its information records\n are maintained to contribute to future\n investment selections and\n assessments.                              Not Executed      Not Executed\n\n     Source: OIG analyses\n\n\n\n\n                                      - 43 -\n\x0ca. The FBI has Executed Two of the Seven Key Practices\n   Associated With Identifying IT Projects and Systems\n\n       Based on our analyses, we determined that the FBI has executed\ntwo of the seven key practices associated with this critical process.\nSpecifically, the FBI has developed written policies and procedures for\nidentifying its IT projects and systems in an inventory that includes\ninformation relevant to the investment management process\n(Organizational Commitment 1). Additionally, the FBI has designated\nan official responsible for managing the IT project and system\nidentification process and ensuring that the inventory meets the needs\nof the investment management process (Organizational\nCommitment 2).\n\n       Regarding Organizational Commitment 1, we determined that\nthe FBI has developed adequate written policies and procedures for:\n(a) identifying its IT projects and systems and (b) collecting\ninformation relevant to the investment management process on each\nproject and system. Prior to December 2001, the FBI did not have\nwritten policies and procedures for identifying IT projects and systems.\nThe FBI did, however, provide us with an electronic communication\ndated December 3, 2001 from the enterprise architecture staff that\nwas distributed Bureau-wide requesting management from each\ndivision to provide information on its IT systems. The information\nobtained from the divisions is used by the enterprise architecture staff\nto develop the data repository of IT systems.\n\n      Regarding Organizational Commitment 2, the FBI has designated\nthe Chief Architect of the enterprise architecture office with\nresponsibility for managing the IT project and system identification\nprocess and ensuring that the inventory, when completed, meets the\nneeds of the investment management process and ITIM managers and\nusers. The Chief Architect currently reports to the Information\nResource Management Section Chief, who reports to the Chief\nInformation Officer.\n\nb. The FBI Must Execute Five of the Seven Key Practices\n   Associated with Identifying IT Projects and Systems\n\n       Although the FBI has made recent progress in identifying IT\nprojects and systems, the FBI does not have a comprehensive IT\nproject and system identification process because it still has not\nexecuted five out of the seven key practices associated with this\ncritical process. Specifically, the FBI must ensure that:\n\n\n                                 - 44 -\n\x0c   \xe2\x80\xa2   adequate resources are provided for identifying IT projects and\n       systems and collecting relevant information into an inventory\n       (Prerequisite 1);\n\n   \xe2\x80\xa2   the organization\'s IT projects and systems are identified and\n       specific information about these projects and systems is\n       collected in an inventory (Activity 1);\n\n   \xe2\x80\xa2   changes to IT projects and systems are identified and changed\n       information is collected in the inventory (Activity 2);\n\n   \xe2\x80\xa2   information from the inventory is available on demand to\n       decision-makers and other affected parties (Activity 3); and\n\n   \xe2\x80\xa2   the IT project and system inventory and its information records\n       are maintained to contribute to future investment selections and\n       assessments (Activity 4).\n\n       Regarding Prerequisite 1, FBI managers told us that the FBI has\nnot allocated adequate resources to ensure timely and successful\ncompletion of the IT project and system identification critical process.\nFBI managers from the Information Resources Management Section\ntold us that they do not have sufficient staffing to support the ITIM\nprocess, including the enterprise architecture function. The enterprise\narchitecture office within the Information Resources Management\nSection plays a key role in the ITIM process as it assists the Technical\nReview Board and maintains the data repository information on IT\nsystems and projects. Further, personnel who we interviewed from\nthe enterprise architecture office told us that limited staffing was a\nfactor in not having the data repository completed.41\n\n        Regarding the remaining four key practices, none of those\npractices can be executed until the FBI completes the creation of its IT\nasset inventory. More importantly, the IT asset inventory will have\nlittle value to the FBI if it is not used when making IT investment\ndecisions. Prior attempts at compiling an inventory of IT projects were\nused to satisfy Congressional and DOJ requests, rather than to assist\nthe IT investment management process. For example, the FBI\n\n\n\n\n       41\n          Our judgments regarding staffing issues within the enterprise architecture\noffice are discussed in more detail later in this report.\n\n\n                                       - 45 -\n\x0cprepared a partial list of its information technology projects to comply\nwith a Congressional request in August 2000.\n\n      FBI officials informed us that they anticipate the investment\nreview boards will use the completed inventories to contribute to\nfuture investment selections and assessments. The Plan states that\nthe FBI must establish a complete IT portfolio set as the ITIM process\nmatures. Further, FBI personnel told us that the enterprise\narchitecture data repository, when complete, will be available to\ndecision-makers and other ITIM users via the FBI\xe2\x80\x99s Intranet.\nHowever, we have not been provided with a specific timeframe for\nwhen the FBI expects to have a completed inventory.\n\n      FBI personnel told us that the primary cause of not having a\ncompleted IT asset inventory and actively using it in the ITIM process\nis because of staffing shortages. While that may be a contributing\nfactor, we concluded that the lack of centralized management over IT\ninvestments was also a limiting factor. As a result, certain divisions\nmaintained some version of an IT inventory for the projects and\nsystems under their jurisdiction, and there was no centralized office\nresponsible for maintaining a uniform listing Bureau-wide.\n\n      Without a complete IT asset inventory in the ITIM process, FBI\nmanagement and board members do not have adequate assurance\nthat accurate, timely, and complete information on existing IT projects\nand systems is available to them. As a result, there is a risk that new\nIT proposals selected overlap with one of the 200 or so existing FBI\napplications. While the recently established review boards helped to\nmitigate this risk for the FY 2004 budget selection process, we believe\nthat an IT asset inventory must be used by the boards to optimize the\nuse of the FBI\xe2\x80\x99s resources.\n\nc. Recommendations\n\n    We recommend that the Director of the FBI:\n\n9. Establish a deadline for completing the creation of the FBI IT\n   inventory and ensure progress toward completion is monitored\n   (Activity 1).\n\n\n\n\n                                 - 46 -\n\x0c10. Implement processes to ensure:\n\n       a.        subsequent changes to IT projects and systems are identified\n                 and documented in the inventory (Activity 2);\n\n       b.        information from the inventory is available on demand to\n                 decision-makers and other affected parties (Activity 3); and\n\n       c.        the IT project and system inventory and its information\n                 records are maintained to contribute to future investment\n                 selections and assessments (Activity 4).\n\n(6) Critical Process #4: Business Needs Identification\n\n       This critical process establishes the mechanism for identifying\nthe business needs and the associated users that drive each IT\nproject. This critical process links the organization\xe2\x80\x99s business\nobjectives with its IT strategy and creates the partnership between the\nusers and the IT providers. According to the Framework, effective\nidentification of business needs requires:\n\n   \xe2\x80\xa2        defining the organization\xe2\x80\x99s business needs and goals;\n\n   \xe2\x80\xa2        identifying users who will participate throughout the life-cycle of\n            each project;\n\n   \xe2\x80\xa2        defining business needs for each IT project; and\n\n   \xe2\x80\xa2        training IT staff in business needs identification.\n\n       While the FBI has made progress in identifying business needs\nfor IT projects, it has not yet executed all the key practices necessary\nto implement this critical process. Prior to pilot testing the select\nphase of its ITIM process in March 2002, the FBI had been identifying\nusers for each IT project in the Exhibit 300.42 Since pilot testing the\nselect phase of the ITIM process beginning in March 2002, the FBI has\nused a concept paper along with the Exhibit 300 to identify and define\nbusiness needs. In addition, the FBI has defined its general business\nneeds and goals in its strategic plan, which is further discussed later in\nthis report. However, as previously mentioned, the FBI has not\n\n            42\n          An Exhibit 300 is a capital asset plan that must be prepared for major\nprojects and is submitted to the DOJ and OMB.\n\n\n                                         - 47 -\n\x0cidentified all of its IT projects in an asset inventory; consequently,\nprogress in implementing this critical process is contingent upon\ncompleting the FBI IT inventory. Also, we were not provided evidence\nindicating that identified users participate in project management\nthroughout a project\'s life-cycle. The following table summarizes the\nkey practice ratings for the business needs identification critical\nprocess.\n\n  FBI Progress Toward Identifying its Business Needs\n                   (Critical Process #4)\n\n                                                  Key Practice Key Practice\n                                                   Execution      Execution\n                                                 Status Prior to Status as of\n              Key Practice                        March 2002      June 2002\nOrganizational Commitment 1. The\norganization has written policies and\nprocedures for identifying the business needs\n(and the associated users) of each IT project.   Not Executed    Not Executed\nPrerequisite 1. Adequate resources are\nprovided for identifying business needs and\nassociated users.                                Not Executed    Not Executed\nPrerequisite 2. The organization has defined\nbusiness needs or stated mission goals.          Executed        Executed\nPrerequisite 3. IT staff are trained in\nbusiness needs identification.                   Not Executed    Not Executed\nPrerequisite 4. All IT projects are identified\nin the IT asset inventory.                       Not Executed    Not Executed\nActivity 1. The business needs for each IT\nproject are clearly identified and defined.      Not Executed    Executed\nActivity 2. Specific users are identified for\neach IT project.                                 Executed        Executed\nActivity 3. Identified users participate in\nproject management throughout a project\'s\nlife-cycle.                                      Not Executed    Not Executed\n\n      Source: OIG analyses\n\na. The FBI has Executed Three of the Eight Key Practices\n   Required to Identify its Business Needs and Associated\n   Users\n\n      We determined that the FBI has executed three of the eight key\npractices associated with this critical process. Specifically, the FBI has\ndefined its business needs or stated mission goals (Prerequisite 2); the\nbusiness needs for identified IT projects are clearly identified and\n\n\n\n\n                                      - 48 -\n\x0cdefined (Activity 1); and specific users are identified for each IT\nproject (Activity 2).\n\n      Regarding Prerequisite 2, we determined that the FBI has\ndefined business needs or stated mission goals. The FBI has stated\nmission goals in its strategic plan. The FBI\xe2\x80\x99s strategic plan has not\nbeen updated since 1998, but the Director has revised the priorities of\nthe Bureau since the terrorist attacks on September 11, 2001.\nFurther, the FBI is currently in the process of developing an enterprise\narchitecture framework, which will link the FBI\xe2\x80\x99s strategic plan to its\nbusiness needs.\n\n       Regarding Activity 1, we determined that the business needs for\neach IT project are clearly identified and defined in the Exhibit 300.\nPrior to the initiation of the ITIM pilot test in March 2002, the FBI did\nnot have adequate management controls in place to ensure that the\nbusiness needs for each project were accurately developed in the\nExhibit 300. With the ITIM process, the board reviews of the concept\npapers and Exhibit 300s provided assurance that these business needs\nwere clearly identified and defined. In instances where the business\nneeds were vague, the boards, especially the Technical Review Board,\nreturned the concept papers and Exhibit 300s to the project sponsor\nfor re-work. This re-work demonstrates that board review of these IT\nproposals was an effective control over the business needs\nidentification process. Our review of Exhibit 300s that were ultimately\nrecommended to the Executive Review Board for inclusion in the\nFY 2004 budget cycle confirmed that business needs were clearly\nidentified and defined.\n\n       Regarding Activity 2, the FBI identified specific users for each IT\nproject. Based on our reviews of several Exhibit 300s both before and\nafter the initiation of the ITIM process in March 2002, we determined\nthat the users for the IT project were identified and documented.\n\nb. The FBI Must Execute Five of the Eight Key Practices\n   Required to Identify its business Needs and Associated\n   Users\n\n      Although progress has been made in identifying its business\nneeds and associated users, the FBI has yet to execute five of the\neight key practices associated with this critical process. Specifically,\nthe FBI must ensure that:\n\n\n\n\n                                  - 49 -\n\x0c   \xe2\x80\xa2   it has formalized written policies and procedures for identifying\n       the business needs (and the associated users) of each IT project\n       (Organizational Commitment 1);\n\n   \xe2\x80\xa2   adequate resources are provided for identifying business needs\n       and associated users (Prerequisite 1);\n\n   \xe2\x80\xa2   IT staff are trained in business needs identification\n       (Prerequisite 3);\n\n   \xe2\x80\xa2   all IT projects are identified in the IT asset inventory\n       (Prerequisite 4); and\n\n   \xe2\x80\xa2   identified users participate in project management throughout\n       the project life-cycle (Activity 3).\n\n       Regarding Organizational Commitment 1, we determined that\nthe FBI does not have written policies and procedures for identifying\nthe business needs (and the associated users) of each IT project. The\nFBI has been defining business needs for IT projects in the\nExhibits 300 and related concept papers. The Post-Implementation\nReview acknowledges that the FBI needs more formally developed\npolicies and procedures to support the ITIM process. By formalizing\nthese procedures in writing, the FBI reduces the risk that it will neglect\nto perform this practice in the future.\n\n       Regarding Prerequisites 1 and 3, FBI officials told us that\nadequate resources were not allocated to identifying business needs\nand associated users. Specifically, FBI officials from the Information\nResources Management Section told us that there has not been\nsufficient resources dedicated to the ITIM process, including the\ntraining of ITIM users. The importance of training ITIM users in the\nmany facets of the ITIM process cannot be underestimated. Part of\nthe required ITIM training must include the business needs\nidentification process. Examples of training in this critical process\ninclude organizational requirements for ongoing education, rotation of\nITIM users through supported business units, and relevant conference\nattendance. As previously mentioned, many ITIM users have only\nreceived one training session on the FBI\xe2\x80\x99s ITIM process. Additionally,\nthe FBI has not provided us with specific plans for future training\nsessions that include business needs identification. As a result, these\nkey practices have not been executed.\n\n\n\n\n                                   - 50 -\n\x0c       The ITIM training that occurred in February 2002 provided only\nan overview of the ITIM process, rather than role-specific training that\naddressed the business needs identification. The Post-Implementation\nReview stated that re-work of Exhibit 300s and concept papers were\nrequired after these products were submitted to the ITIM program\noffice. This re-work was necessary because there was not a clear\nalignment between the IT proposal and the FBI\xe2\x80\x99s strategic goals.\nBetter training that included business needs identification may have\nreduced some of the re-work. Further, a more clearly defined\nenterprise architecture framework would have increased the IT staff\xe2\x80\x99s\nknowledge in business needs identification.\n\n      Regarding Prerequisite 4, as previously mentioned, the FBI has\nnot completed its IT asset inventory. Identifying all projects in an IT\nasset inventory is a fundamental step in having a fully developed\nbusiness needs identification process. The availability of this inventory\nassists board members in recommending IT projects that support one\nor more business needs or mission goals.\n\n       Regarding Activity 3, FBI officials have acknowledged that\nidentified users do not consistently participate throughout the project\xe2\x80\x99s\nlife-cycle. FBI officials informed us that not keeping IT system users\nactively involved in the creation and implementation of IT projects is a\nmajor factor in the development of multiple IT systems (including\nACS) that do not effectively meet user needs. When we asked the\nformer Chief Information Officer for other examples of systems that do\nnot effectively meet user needs, his response was \xe2\x80\x9cpick one.\xe2\x80\x9d Clearly,\nthis is a significant need that must be addressed by the ITIM process.\nThe DOJ\xe2\x80\x99s System Development Life-Cycle requires user participation\nthroughout the life-cycle, but as we previously noted in this finding,\nthe System Development Life-Cycle is not used by the FBI on a\nconsistent basis. Board oversight of project teams should be required\nto ensure that users are engaged throughout the project\xe2\x80\x99s life-cycle.\n\n      FBI officials told us that there has not been ample time since the\nimplementation of the Plan to adequately train its IT staff and board\nmembers in business needs identification. A complete explanation as\nto why the FBI did not have ample time for training was previously\ndiscussed in section A.3 of this finding.\n\n       Although FBI officials have told us that additional training for IT\nstaff and board members is expected to occur sometime in the future,\nwe were not provided evidence that shows there will be any training\nspecifically related to business needs identification. Further, we have\n\n\n                                  - 51 -\n\x0cnot been provided with a timetable as to when this training will take\nplace. In addition, an effective business needs identification process\nrequires an organization to have a comprehensive IT portfolio and\nenterprise architecture, neither of which the FBI currently has. Our\nassessment of the FBI\xe2\x80\x99s efforts to implement a basic enterprise\narchitecture is discussed later in this report.\n\n       Without a comprehensive business needs identification process,\nFBI management and board members do not have adequate assurance\nthat they are selecting IT projects that align with mission needs and\npriorities. Additionally, projects under development are at risk of not\nmeeting the needs of users, as has been the case with ACS and other\nFBI systems.\n\nc.       Recommendations\n\n         We recommend that the Director of the FBI ensures:\n\n11. Written policies and procedures are developed for identifying the\n    business needs (and the associated users) of each IT project\n    (Organizational Commitment 1).\n\n12. Adequate resources are allocated to train ITIM users in identifying\n    business needs and associated users (Prerequisites 1 and 3).\n\n13. Identified users participate in project management throughout a\n    project\'s life-cycle (Activity 3).\n\n(7) Critical Process #5: IT Proposal Selection\n\n       The proposal selection critical process establishes a structured\nmethodology for selecting new IT proposals. The FBI should have this\ncritical process fully implemented to ensure that it selects the most\nmeritorious IT proposals to meet its mission critical needs. According\nto the Framework, this critical process requires:\n\n     \xe2\x80\xa2   designating an official to manage the proposal selection process;\n\n     \xe2\x80\xa2   using a structured process to develop new proposals;\n\n     \xe2\x80\xa2   making funding decisions based on an established process; and\n\n     \xe2\x80\xa2   analyzing and ranking new IT proposals against criteria that\n         includes cost and schedule data.\n\n\n                                   - 52 -\n\x0cThe following table summarizes the key practice ratings for the\nproposal selection critical process.\n\n   FBI Progress Toward Establishing an IT Proposal Selection\n                 Process (Critical Process #5)\n\n                                             Key Practice     Key Practice\n                                              Execution        Execution\n                                            Status Prior to   Status as of\n            Key Practice                     March 2002        June 2002\n Organizational Commitment 1.\n Executives and managers are committed\n to follow an established selection\n process.                                   Not Executed      Executed\n Organizational Commitment 2. An\n official is designated to manage the\n proposal selection process.                Not Executed      Executed\n Prerequisite 1. Adequate resources\n are provided for proposal selection\n activities.                                Not Executed      Not Executed\n Activity 1. The organization uses a\n structured process to develop new IT\n proposals.                                 Not Executed      Executed\n Activity 2. Executives analyze and\n prioritize new IT proposals according to\n established selection criteria.            Not Executed      Executed\n Activity 3. Executives make funding\n decisions for new IT proposals according\n to an established process.                 Not Executed      Executed\n\n       Source: OIG analyses\n\na. The FBI Has Executed Five of the Six Key Practices\n   Associated With Establishing an IT Proposal Selection\n   Process\n\n      As previously discussed, the FBI pilot tested its ITIM proposal\nprocess in March 2002. The Plan outlined a conceptual framework for\nselecting projects, while subsequent documents further defined the\nprocess. We determined that the FBI has executed five of the six key\npractices associated with this critical process. The five key practice\nare:\n\n   \xe2\x80\xa2   FBI managers are committed to follow an established selection\n       process (Organizational Commitment 1);\n\n\n\n                                     - 53 -\n\x0c   \xe2\x80\xa2   an official is designated to manage the proposal selection\n       process (Organizational Commitment 2);\n\n   \xe2\x80\xa2   the FBI uses a structured process to develop new IT proposals\n       (Activity 1);\n\n   \xe2\x80\xa2   FBI managers analyze and prioritize new IT proposals according\n       to established selection criteria (Activity 2); and\n\n   \xe2\x80\xa2   executives make funding decisions for new IT proposals\n       according to an established process (Activity 3).\n\n      Regarding Organizational Commitment 1 and Activity 1, we\nconcluded that in pilot testing its proposal selection process in\nMarch 2002, FBI managers were committed to and followed an\nestablished selection process for the FY 2004 budget cycle.\n\n       Prior to the initiation of the ITIM process in March 2002, the FBI\ndid not have an established process for selecting IT proposals. Several\nFBI officials told us that individual divisions determined their IT needs\nin a \xe2\x80\x9cstovepipe,\xe2\x80\x9d without knowledge of the business needs and\npriorities of the Bureau as a whole. Once each division decided on its\nIT request, the request was forwarded to the Information Resources\nManagement Section for a \xe2\x80\x9ctechnical\xe2\x80\x9d review. This review, performed\nby the Information Resources Management Section Chief, was\ndesigned to ensure that the request was consistent with the FBI\xe2\x80\x99s\nexisting IT infrastructure. However, without an established enterprise\narchitecture, the review could not adequately provide assurance that\nthe proposal aligned with the FBI\xe2\x80\x99s business needs and priorities.\n\n      Once approved by the Information Resources Management\nSection Chief, the request was then forwarded to the Finance Division\nto determine if similar requests for budget enhancements were\npreviously denied by Congress. Requests approved by the Finance\nDivision were forwarded to a committee comprised of executive\nmanagers for final evaluation and selection. However, personnel from\nthe Finance Division told us that it was not uncommon for the IRD,\nLaboratory, and CJIS Divisions to submit requests for IT projects that\nwere duplicative but were approved anyway. This indicates that the\nInformation Resources Management Section did not adequately\nperform its role in overseeing IT proposals. Additionally, according to\nFBI officials, the committee of executive managers did not have a\nformalized charter, follow approved polices or procedures, or maintain\n\n\n\n                                  - 54 -\n\x0cdocumentation detailing committee activities. Therefore, the process\nwas not standardized or repeatable.\n\n      With the initiation of the ITIM process in March 2002, the FBI\nestablished a proposal selection process for the FY 2004 budget cycle.\nIT proposals were developed by the project sponsor with a preliminary\nfeasibility analysis, referred to as a concept paper. The concept paper\nwas submitted to the Enterprise Architecture Technical Committee for\na preliminary technical review, and then forwarded to the\nTechnical Review Board with a recommendation as to whether the\nproject should be approved. Upon the Technical Review Board\xe2\x80\x99s\napproval, the project sponsor was asked to prepare a more\ncomprehensive business case analysis, which was documented in the\nExhibit 300. The project proposal package, which includes the concept\npaper and Exhibit 300, was then submitted to the Project Oversight\nCommittee for a business review. The Project Oversight\nCommittee assembled the multiple requests and recommended a list\nof projects for the Executive Review Board\xe2\x80\x99s review. The\nExecutive Review Board selected projects for the FY 2004 budget\ncycle. Because this process was documented in the Plan, and\nenhanced with training materials, we concluded that the FBI effectively\nestablished a selection process. The following flowchart outlines the\nFBI\'s proposal selection process.\n\n\n\n\n                                - 55 -\n\x0c                            FLOWCHART OF FBI\xe2\x80\x99S ITIM SELECT PHASE\n\n\n\n\n                              IDEAfor\n                             IT Initiative\n\n\n\n                                                                                       Review for business                           TRB reviews\n                         Project originator                                             alignment & vision                        Business Case and\n                        develops a Concept                                                 with the POC                              Updates CP\n                              Paper                                                                           Revised CP              Dashboard\n                                                                         Com pleted                           Dashboard\n                                                             Stop         Concept\n                                                                           Paper\n           Partial                                                                                                      Business\n          Concept                                                                      Concept                           Case\n           Paper                                                                        Paper                         (Exhibit 300)\n                                                                                      Dashboard\n                        Project Sponsor fine\n                       tunes Concept Paper                                                    Worth                                     POC review &\n                        with support from IT                                               next level of                              prioritization of all\n                                                                Stop          No\n                        and Finance Teams                                                  investment?                                 Business Cases\n                                                                                                                Project\n                                                                                                              Sum aries\n                                                                                                                  m\n          Com pleted\n           Concept                                                                                                          Project\n            Paper                                                                                                          Rankings\n                                                                                                  Yes\n                            Division\n                                                Rework\n\n\n\n\n                                                                                                                                 Submit prioritized list\n                       management reviews\n                                                                                                                                 to ERB for review &\n                         Concept Paper                                                   Project originator\n                                                                                                                                      approval\n                                                                                        develops Business\n                                                                                        Case (Exhibit 300)\n\n\n\n         Stop          No     Approve?\n\n                                                         Project originator           Division management         Stop          No Approve?\n                                                         modifies Business              reviews Business\n          Com pleted\n           Concept                                       Case (Exhibit 300)            Case (Exhibit 300)\n            Paper                   Yes\n                                                                                                                                              Yes\n\n\n                        Review for project,\n                                                                                                                                       Submit budget\n                        technical, financial,\n                                                                                                                                       enhancement\n                          and security risk\n                                                                    No                      Approve?                                      request\n                        rating with the TRB\n          Com pleted\n           Concept\n            Paper\n                        Concept\n                         Paper\n                       Dashboard\n                        (partial)\n\n\n\n\n     Source: FBI\xe2\x80\x99s training materials for the ITIM process as of\n     February 2002.\n\n      Regarding Organizational Commitment 2, prior to the initiation of\nthe select phase of its ITIM process in March 2002, the FBI did not\nhave a clearly designated official to manage the proposal selection\nprocess. According to Information Resources Management Section\npersonnel, the Finance Division managed the IT selection process.\nHowever, according to Finance Division personnel, the Information\nResources Management office was responsible for managing the\nproposal selection process. With the onset of the ITIM process in\nMarch 2002, the FBI\xe2\x80\x99s Chief Information Officer appointed the ITIM\n\n\n                                                                           - 56 -\n\x0cProgram Manager to manage the proposal selection process. This\nofficial reports to the Information Resources Management Section\nChief, who reports to the Chief Information Officer.\n\n      Regarding Activity 2, we determined that FBI IT investment\nboard members analyzed and prioritized new IT proposals according to\nestablished selection criteria for the FY 2004 budget cycle. Projects\nwere prioritized according to three separate areas: (1) mission fit;\n(2) technical criteria (including risk management and architectural\nassessments); and (3) financial criteria (including performance\nmeasures, cost/benefit analyses, and acquisition strategy).\n\n      Regarding Activity 3, the three IT investment review boards\nmade funding decisions for new IT proposals according to a process\nestablished for the FY 2004 budget cycle. The Executive Review\nBoard, chaired by the Director, had the final authority for making IT\nfunding requests to the DOJ. The Executive Review Board members\nbased their decisions upon recommendations made by the Technical\nReview Board and the Project Oversight Committee. Based on the use\nof an established process, this key practice has been executed.\n\nb. The FBI Must Execute One Key Practice Associated With\n   Establishing an IT Proposal Selection Process\n\n      Although the FBI has made substantial progress in establishing\nan IT proposal selection process for the FY 2004 budget cycle, in our\njudgment it has yet to allocate adequate resources for comprehensive\nproposal selection activities. Our conclusion is based upon the\nfollowing observations.\n\n   \xe2\x80\xa2   The FBI pilot tested the selection process only for proposed\n       budget enhancements for FY 2004 and not for projects already\n       included in the base funding for IT.43 As a result, the selection\n       process was not comprehensive because it did not include all\n       FY 2004 funding for IT.\n\n   \xe2\x80\xa2   Project sponsors had insufficient time to adequately document\n       proposals in the concept paper and Exhibit 300. According to\n       the FBI\xe2\x80\x99s Post-Implementation Review of the pilot test, project\n       sponsors had as little as three days to develop concept papers\n\n\n       43\n          Funding for IT projects comes from both base funding and enhancements.\nBase funding is usually the prior fiscal year\xe2\x80\x99s budget allocation. Enhancements are\nadditions to the prior fiscal year\xe2\x80\x99s base that are sought to fulfill certain priorities.\n\n\n                                         - 57 -\n\x0c      and Exhibit 300s used in the IT proposal selection process. FBI\n      officials told us that it can take over a month to adequately\n      prepare a comprehensive business case analysis (Exhibit 300).\n      As a result of the time constraints, the Post-Implementation\n      Review stated that concept papers, Exhibit 300s, and IT proposal\n      summaries were submitted with gaps and omissions in areas\n      such as: (1) aligning proposed activity with the FBI\xe2\x80\x99s strategic\n      goals, (2) technical details, (3) acquisition and performance\n      management approaches, (4) resource requirements and\n      commitments, (5) expected levels of return-on-investment, and\n      (6) security.\n\n  \xe2\x80\xa2   According to the Post-Implementation Review of the pilot test,\n      the boards and project sponsors did not maximize the use of\n      subject matter experts to facilitate the proposal selection\n      process. Additionally, according to the Post-Implementation\n      Review, project owners did not adequately consult with internal\n      staff in various divisions when preparing their IT proposals.\n\n  \xe2\x80\xa2   Finally, the ITIM Program Manager, appointed in February 2002,\n      was not provided any staff to assist her (other than contractor\n      support). FBI officials stated to us in the self-assessment that\n      the insufficient staffing is the number one challenge to\n      implementing the ITIM process. Additionally, according to the\n      Post-Implementation Review, the ITIM Program Office did not\n      have sufficient staffing to sustain the ITIM process. Specifically,\n      the Post-Implementation Review recommends two additional\n      full-time employees to be added immediately, with an eventual\n      goal of having at least six full-time employees in the ITIM\n      Program Office. ITIM staffing is necessary to facilitate\n      communications between the boards, project owners, and\n      divisions. Clearly, adequate staffing for the ITIM Program Office\n      is essential to successfully implement the ITIM process.\n\n       Without a comprehensive proposal selection process that\nincludes adequate resources and training, the FBI cannot ensure that it\nis selecting the best IT projects that meet mission-critical needs.\n\n\n\n\n                                 - 58 -\n\x0cc.   Recommendations\n\n     We recommend that the Director of the FBI ensures:\n\n14. The ITIM process applies to all IT project proposals, including\n    proposals that are funded through the FBI\xe2\x80\x99s base funding.\n\n15. Sufficient staffing is provided to the ITIM Program Office, as\n    recommended in the Post-Implementation Review.\n\n(8) Overriding Cause for the Lack of an FBI IT Investment\n    Management Foundation\n\n       Although the GAO ITIM Framework was originally published in\nMay 2000, the underlying key practices needed to implement each\ncritical process are, in essence, tasks that are fundamental to any\nproject management endeavor. Some of these tasks include the\nprerequisite conditions that must be in place in an organization to\nsuccessfully implement critical processes. These tasks involve\nallocating resources, establishing organizational structures, and\nproviding training. Another group of tasks include the organizational\ncommitments that ensure critical processes will endure. These tasks\ninvolve establishing organizational policies and engaging senior\nmanagement sponsorship. A third group of tasks include the activities\nnecessary to implement the critical processes. These tasks involve\nestablishing procedures, performing and tracking the work, and taking\ncorrective actions as necessary.\n\n       Although these tasks are fundamental to effective project\nmanagement, the majority of these tasks had not been executed by\nthe FBI to select and manage its IT resources. Prior to the\ndevelopment of its ITIM process in early 2002, the FBI did not give\nsufficient attention to IT investment management. Organizational\npolicies were not clearly established to ensure that critical IT\ninvestment policies endure. Additionally, there were no clearly\ndefined, uniform procedures for project management, tracking project\nperformance, and taking corrective actions as necessary.\n\n      Because the FBI did not fully implement any of the critical\nprocesses associated with Stage Two, the FBI continues to spend\nhundreds of millions of dollars on IT projects without having adequate\nselection and project management controls in place to ensure that IT\nprojects will deliver their intended benefits. However, the FBI has\nmade progress in improving its IT investment process since it initiated\n\n\n                                 - 59 -\n\x0ca new ITIM process in early in 2002. Although further action is\nrequired, the launching of the ITIM process represents improvement in\nthe FBI\xe2\x80\x99s ability to mitigate the risks that IT projects will not deliver\ntheir intended benefits. Whether the FBI can achieve further\nimprovement depends on whether the Plan addresses the remaining\nkey practices not being executed as well as the FBI\xe2\x80\x99s ability to\ncompletely implement the Plan and fully establish its ITIM process.\n\nB. The FBI\xe2\x80\x99s Ability to Improve its IT Investment Practices\n\n       As previously noted, the FBI lacks a foundation necessary to\nbuild its IT investment capabilities, and therefore, is in Stage One\nmaturity. However, in January 2002, the FBI developed an ITIM plan\nto build a foundation for selecting, controlling, and evaluating IT\ninvestments. Additionally, during the course of our audit fieldwork\n(from January 2002 to June 2002), the FBI initiated its ITIM process,\nas defined by the Plan. Consequently, the FBI made progress towards\nimplementing the Plan, especially in the area of IT proposal selection.\n\n      Because the FBI was only in the beginning stages of\nimplementing the Plan during our audit fieldwork, we assessed the\nFBI\xe2\x80\x99s ability to progress through the more advanced stages of the\nframework necessary to improve its IT investment maturity. Our\nassessment of the FBI\xe2\x80\x99s ability to improve its IT investment\nmanagement consisted of the following four areas:\n\n      1.   the Plan\xe2\x80\x99s coverage of Stage Two key practice activities\n           that were not being executed during our fieldwork \xe2\x80\x93\n           necessary to determine adequacy of the Plan;\n\n      2. the amount of participation from ITIM users in developing\n         the ITIM process \xe2\x80\x93 necessary to determine buy-in to the\n         process;\n\n      3. the support from the project management function \xe2\x80\x93\n         necessary to execute the control and evaluate phases of\n         the ITIM process; and\n\n      4. the support from the enterprise architecture function \xe2\x80\x93\n         necessary to advance through the maturity stages of the\n         Framework.\n\n      Our evaluation of these four areas, documented in the following\nsections, includes both the FBI\xe2\x80\x99s strengths and weaknesses in each\n\n\n                                  - 60 -\n\x0carea. In our judgment, the FBI\xe2\x80\x99s efforts in these areas are critical to\nits ability to maximize the effectiveness of its ITIM process, and\nultimately improve mission performance.\n\n(1) The Plan\xe2\x80\x99s Coverage of Stage Two Key Practice Activities\n    That Were Not Being Executed During Our Fieldwork\n\n      The FBI\xe2\x80\x99s IT Investment Management Model and Transition Plan\naddresses the select, control, and evaluate key practice activities\nnecessary to build an IT investment foundation. However, the Plan\nrequires further development to ensure effective implementation.\nBecause the Plan was intended to be a conceptual framework, it was\nnot written to fully describe the specific policies and procedures of the\nselect, control, and evaluate phases of the ITIM process. Without\nfurther development of the ITIM process, the FBI will have difficulty\nmaking additional progress in improving its IT investment\nmanagement practices, especially in the control and evaluate phases.\n\na.   Importance of the Plan\xe2\x80\x99s Coverage of Stage Two Key\n     Practice Activities\n\n      Because the Plan stated that its purpose is to establish and\ndefine the FBI\xe2\x80\x99s Stage Two methodology necessary to build an IT\ninvestment foundation, we examined the Plan\xe2\x80\x99s coverage of Stage Two\nkey practice activities. The FBI was pilot testing the select phase of\nthe ITIM process during our audit fieldwork. As previously noted, we\ndetermined that the FBI executed 14 of 38 Stage Two key practices,\nmainly in the area of proposal selection. Of the 24 key practices that\nwere not executed, 11 specifically related to activities associated with\nthe control and evaluate phases of the ITIM process. Although the FBI\nhad made little progress in executing activities from the control and\nevaluate phases of the Plan during our fieldwork, we examined the\nPlan to determine whether it adequately addressed the 11 Stage Two\nkey practices activities associated with the control and evaluate phases\nthat were not being executed. The ability of the FBI to achieve Stage\nTwo maturity is dependent, in part, on the adequacy of the Plan.\n\n      In JMD\xe2\x80\x99s assessment of the Plan, JMD rated the Plan against\nelements it considered necessary to comply with GAO, OMB, and DOJ\nguidelines. JMD\xe2\x80\x99s assessment indicated that the Plan complied with\nthe criteria used.44 Additionally, JMD\xe2\x80\x99s assessment stated that\nalthough the Plan does not fully address a few items, such as the exact\n\n      44\n           JMD\xe2\x80\x99s assessment of the Plan is contained in Appendix 4 of this report.\n\n\n                                        - 61 -\n\x0ccriteria that will be used to select and evaluate investments, it does\nprovide a schedule for completing these items.\n\n      Our assessment of the Plan focused on whether it addressed the\nStage Two maturity key practices in the GAO ITIM Framework and our\nconclusions are consistent with those from JMD.\n\nb. Results of Our Assessment of the Plan\xe2\x80\x99s Coverage of Stage\n   Two Key Practice Activities Associated with the Control and\n   Evaluate Phases\n\n       In our judgment, the FBI\xe2\x80\x99s IT Investment Management Model\nand Transition Plan addresses the 11 Stage Two key practice activities,\non a conceptual level, that were not being executed during our\nfieldwork. Because the key practice activities are addressed\nconceptually, further development is needed to clearly define these\nactivities and to determine how these activities can be implemented.\n\n       Our analyses (previously documented in this report) indicated\nthat the FBI was not executing one or more key practice activities in\neach of the following Stage Two critical processes: (1) IT investment\nboard operation; (2) IT project oversight; (3) IT project and system\nidentification; and (4) business needs identification. As previously\ndiscussed, 11 of the key practice activities necessary to implement\nthese four critical processes relate to the control and evaluate phases\nof the Plan. The tables below describe how the Plan addresses the key\npractice activities that we determined were not being executed during\nour audit testing.\n\n\n\n\n                                 - 62 -\n\x0c               IT Investment Board Critical Process\n Key Practice Activity Not Executed      How the Plan Addresses the Activity\nActivity 2: Each IT investment board     While the Plan does not provide the\noperates according to written policies   specific written policies and procedures\nand procedures in the organization-      that the investment boards must\nspecific IT investment process guide.    follow, it does indicate that further\n                                         development of these policies and\n                                         procedures are necessary.\n                                         Additionally, the Post-Implementation\n                                         Review of the select phase of the ITIM\n                                         pilot test recommends that additional\n                                         policies and procedures be developed\n                                         in a document that is independent of\n                                         the Plan. Once the FBI\xe2\x80\x99s ITIM policies\n                                         are completely developed, this key\n                                         practice can be executed when the FBI\n                                         rolls-out the control and evaluate\n                                         phases of the ITIM process.\n\n\n     Source: OIG analyses\n\n\n\n\n                                    - 63 -\n\x0c                 IT Project Oversight Critical Process\n\n Key Practice Activity Not Executed        How the Plan Addresses the Activity\nActivity 1: Each project\'s up-to-date       The Plan stipulates that the\ncost and schedule data are provided to the functioning project management\nappropriate IT investment board.            office will review status reports on\n                                            cost, schedule, and performance\n                                            measures. The project management\n                                            office will then forward selected\n                                            reports to the boards for review.\nActivity 2: Using established criteria, the The Plan states that the Project\nIT investment board oversees each IT        Oversight Committee will ensure that\nproject\'s performance regularly by          selected projects are meeting\ncomparing actual cost and schedule data     performance measurement objectives,\nto expectations.                            risks are being appropriately\n                                            managed, budgets and schedules are\n                                            on track, and resource levels are\n                                            adequate.\nActivity 3: The IT investment board           According to the Plan, the Project\nperforms special reviews of projects that     Oversight Committee will perform\nhave not met predetermined performance        special reviews of projects whose\nstandards.                                    status reports are not meeting\n                                              predetermined performance standards.\n\n\nActivity 4: Appropriate corrective actions    The Plan states that the Project\nfor each under-performing project are         Oversight Committee will review a\ndefined, documented, and agreed to by         portfolio status report to determine if\nthe IT investment board and the project       quick corrective actions can be\nmanager.                                      executed to get under-performing\n                                              projects back on track. When this is\n                                              not possible, appropriate\n                                              recommendations will be made to the\n                                              Executive Review Board.\nActivity 5: Corrective actions are            The Plan gives the Project Oversight\nimplemented and tracked until the             Committee the responsibility to\ndesired outcome is achieved.                  ensure that corrective actions are\n                                              implemented.\n\n      Source: OIG analyses\n\n\n\n\n                                     - 64 -\n\x0c      IT Project and System Identification Critical Process\n\n  Key Practice Activity Not Executed       How the Plan Addresses the Activity\nActivity 1: The organization\'s IT projects The Plan states that an IT investment\nand systems are identified and specific     portfolio will be built for development\ninformation about these projects and        projects as the ITIM process is being\nsystems is collected in an inventory.       pilot tested. An IT portfolio is expected\n                                            to be completed for the full-blown ITIM\n                                            roll-out during the FY 2005 budget\n                                            cycle.\nActivity 2: Changes to IT projects and      FBI personnel told us that while there\nsystems are identified and change           is not a written procedure to\ninformation is collected in the inventory.  document changes to IT projects and\n                                            systems, a policy will be developed\n                                            when the IT asset inventory is\n                                            complete. The IT asset inventory will\n                                            then be updated as changes are\n                                            made to IT projects and systems.\nActivity 3: Information from the            FBI personnel stated that the IT asset\ninventory is available on demand to         inventory, when complete, will be\ndecision-makers and other affected          maintained on the FBI\xe2\x80\x99s Intranet, so\nparties.                                    that relevant information will be\n                                            available on demand to decision-\n                                            makers and other affected parties.\n\nActivity 4: The IT project and system          FBI personnel stated that the IT asset\ninventory and its information records are      inventory and IT portfolio, when\nmaintained to contribute to future             complete, will be updated continually\ninvestment selections and assessments.         to become an archive of information\n                                               to be used for future investment\n                                               selections and evaluations.\n\n\n\n     Source: OIG analyses\n\n\n\n\n                                      - 65 -\n\x0c            Business Needs Identification Critical Process\n  Key Practice Activity Not Executed         How the Plan Addresses the Activity\n Activity 3: Identified users participate in  The Plan states that it is crucial for\n project management throughout a              project team members (which must\n project\'s life-cycle.                        include identified users of the project)\n                                              to work closely together throughout\n                                              the project\xe2\x80\x99s life-cycle. These project\n                                              teams support the functional project\n                                              management office and Project\n                                              Oversight Committee.\n\n\n       Source: OIG analyses\n\n       With the pilot testing of the select phase, the FBI further\ndeveloped and refined the proposal selection process and provided\ntraining on proposal selection to ITIM users. The training materials\nsupplemented and supported the documentation in the Plan to more\nclearly define the roles of ITIM users, such as IT investment review\nboard members, project sponsors, and ITIM liaison representatives.\n\n      Even with these additional materials, the Post-Implementation\nReview of the select phase of the Plan (performed by the ITIM\ncontractor) recommended that the FBI significantly expand its\ndocumentation of polices and procedures relating to the ITIM process\nby:\n\n   \xe2\x80\xa2   explicitly defining the ITIM Program Office\xe2\x80\x99s roles and\n       responsibilities so that resources can be concentrated on\n       enabling and facilitating the process as well as supporting the\n       development of process input;\n\n   \xe2\x80\xa2   developing and documenting detailed policy, processes, and\n       procedures in a stand-alone document independent of the Plan;\n\n   \xe2\x80\xa2   developing a formal ITIM training program that includes focused\n       training on the roles of various ITIM users, including board\n       members and ITIM liaison representatives;\n\n   \xe2\x80\xa2   developing a formal communications plan to ensure all ITIM\n       users are provided with visibility and timely feedback from the\n       ITIM process; and\n\n\n\n\n                                       - 66 -\n\x0c   \xe2\x80\xa2    refining and expanding ITIM tools necessary to sustain the\n        process, including an \xe2\x80\x9cIT investment proposal tracking\n        management tool.\xe2\x80\x9d45\n\n      The FBI recognized that the Plan was never intended to\nrepresent its final policies and procedures for its ITIM process. The\nPlan states that it provides a conceptual framework for achieving\nStage Two maturity, and will evolve as the FBI\xe2\x80\x99s ITIM process\nadvances to higher levels of maturity.\n\n       Without further development and refinement of the ITIM\nprocess, the FBI will have difficulty making additional progress in\nimproving its IT investment management practices. Because the goal\nof Stage Two maturity is to build standardized methodologies for\nselecting and controlling IT investments, the FBI must have adequate\ndocumentation of these methodologies to make them repeatable and\ninstitutionalized. The Post-Implementation Review, prepared by the\nITIM contractor, acknowledged the necessity for further developing\nand refining the Plan. In our judgment, the FBI must implement the\nrecommendations set forth in the Post-Implementation Review prior to\ntaking further action in pilot testing the control and evaluate phases of\nthe ITIM process.\n\nc. Recommendation\n\n       We recommend that the Director of the FBI ensure:\n\n16. The recommendations set forth in the Post-Implementation\n    Review relating to expanding the policies and procedures of the\n    ITIM process are implemented.\n\n(2) The Amount of Participation from ITIM Users in Developing\n    the ITIM Process\n\n     In our judgment, the Plan was written with minimal input\nand coordination from relevant ITIM users. The main reason cited by\n\n\n\n\n        45\n         According to the Post-Implementation Review, this tool would formally\ntrack and document the entire life-cycle of an IT investment proposal from the time\nthe ITIM Program Office receives a concept paper to the time the final disposition is\nmade.\n\n\n\n                                       - 67 -\n\x0cIRD officials46 for the limited participation from ITIM users was\ninsufficient time allotted to develop the Plan. As a result, the\ninstitutionalization and buy-in47 of the ITIM process may have been\nhampered.\n\na.    Importance of ITIM User Participation in Developing the\n      ITIM Process\n\n      Good management practices dictate that organizations involve\nrelevant stakeholders when attempting to implement a new\nmanagement process. This involvement aids in the institutionalization\nof the process. Institutionalization of the ITIM process is a key goal of\nthe Plan, which states: \xe2\x80\x9c[The ITIM] process applies to ALL information\ntechnology projects, from ALL business units, from ALL funding\nsources, whether they be new, in development or operational.\xe2\x80\x9d\n\n       Because of the broad applicability of the ITIM process, in our\njudgment the FBI should have involved representatives from\nthroughout the Bureau when developing the Plan. In particular,\nindividuals from the three divisions that manage major IT projects\n(the IRD, CJIS, and Laboratory Divisions) should have had substantial\ninput into the creation of the Plan. Further, the Inspection Division\xe2\x80\x99s\nMajor Project Management Oversight Unit (MPMOU) has a\nresponsibility to oversee major projects in the Bureau, including IT\nprojects, and thus should also have been involved in creating the Plan.\n\nb. Results of Our Assessment of ITIM User Participation in\n   Developing the ITIM Process\n\n       We found that relevant ITIM users from the IRD, CJIS Division,\nLaboratory Division, and Inspection Division were not given significant\ninput into how the Plan was developed. Our interviews with IRD\npersonnel indicated that the FBI gave the ITIM contractor the primary\nresponsibility to write the Plan, without requiring significant\nparticipation from ITIM users in developing the initial draft of the Plan.\n\n       46\n          The Information Resources Management Section, maintained within the IRD\nuntil February 2002, was directed to oversee the development of the FBI\xe2\x80\x99s ITIM\nprocess. In February 2002, the Information Resources Management Section was\nmoved from the IRD to the Office of the Director. The ITIM Program Office was then\nformed within the Information Resources Management Section to oversee the ITIM\nprocess.\n       47\n          According to the Framework, institutionalization and buy-in of the ITIM\nprocess is signified by ITIM users supporting and executing ITIM process activities.\n\n\n\n                                       - 68 -\n\x0cAdditionally, we determined that while the contractor interviewed\nnumerous individuals from the IRD, it only interviewed two people\nfrom the Inspection Division, one person from the CJIS Division, and\nnone from the Laboratory Division.48 Further, as we discuss below,\nthe enterprise architecture office (part of the IRD until February 2002)\nwas not given adequate input into the development of the ITIM\nprocess. Also, the interviews that did occur outside of IRD mainly\nfocused on the individuals\xe2\x80\x99 current responsibilities for managing IT\ninvestments, rather than their insights into how the new ITIM process\ncould be shaped to best meet the needs of the Bureau. The following\nparagraphs provide the perspectives of ITIM users from the IRD,\nCJIS Division, Laboratory Division, and the Inspection Division.\n\n       Personnel from the enterprise architecture office told us that\nbecause the FBI\xe2\x80\x99s ITIM process had been developing concurrently with\nthe enterprise architecture function, there should have been more\ncoordination between the ITIM contractor and enterprise architecture\noffice to increase effectiveness and reduce duplication of effort. For\nexample, the enterprise architecture office drafted charters for a\nthree-tiered IT investment review board structure, similar to what was\nultimately written by the ITIM contractor. Additionally, the enterprise\narchitecture office was preparing initiatives to improve the FBI\xe2\x80\x99s IT\ninvestment management practices. While the enterprise architecture\noffice was drafting board charters and other processes designed to\nimprove the FBI\xe2\x80\x99s IT investment management practices, the ITIM\ncontractor, supervised by the ITIM Program Office, wrote the Plan\nwithout incorporating the work already accomplished by the enterprise\narchitecture office.\n\n       Additionally, an individual from the enterprise architecture office\ntold us that although he believed the ITIM process represents a\npositive step for the FBI, it must incorporate more involvement from\nthe enterprise architecture function to ensure success of the process.\nHe further stated that the IT investment review boards must rely more\non the vast knowledge, expertise, and talents of FBI IT personnel prior\nto making decisions.\n\n      Further, according to a manager in the Information Resource\nManagement Section, the Enterprise Architecture Technical\nCommittee, which supports the Technical Review Board, has not been\ngiven the responsibility to ensure that IT proposals align with the\n\n       48\n          The ITIM Program Office has the ultimate responsibility for directing the\nactions of the ITIM contractor.\n\n\n                                        - 69 -\n\x0cmission of the FBI. The responsibilities of the Technical Review Board,\nas defined in the Plan, are focused on reviewing the technical risks of\nIT projects. These technical risks include compliance with the\n\xe2\x80\x9ctechnical architecture\xe2\x80\x9d or configuration management of the FBI,\nrather than the business architecture which shows how the business\nprocesses work together to satisfy the mission. The Plan and board\ncharters assigned this responsibility to the Project Oversight\nCommittee. In our judgment, because the responsibilities of the\nenterprise architecture office comprise both the technical and business\narchitecture, the Enterprise Architecture Technical Committee should\nnot only be responsible for assessing compliance with the technical\narchitecture, but should also be responsible for assessing compliance\nwith the business architecture. This added responsibility would\nprovide greater assurance to FBI executives that IT proposals selected\nwill enhance the Bureau\xe2\x80\x99s capability in achieving its mission.\n\n      An official from the CJIS Division told us that he was interviewed\nby representatives from the ITIM contractor on one occasion to\ndetermine what role the CJIS Division had in managing IT projects.\nHowever, he was not consulted on how the FBI\xe2\x80\x99s ITIM process should\nbe created. He stated the only opportunity he had to comment on the\nPlan was after it was written in January 2002. His belief was that the\nITIM Program Office was relying solely on the contractor to write the\nPlan, rather than building a Plan that has the input and buy-in from all\nFBI divisions.\n\n       While this official from the CJIS Division said to us that the Plan\nwas an improvement over the FBI\xe2\x80\x99s current process for managing IT\ninvestments, he was not convinced that the process could be\neffectively implemented without addressing other pressing issues, such\nas the need for: (1) standardized methodologies in configuration\nmanagement, quality assurance, and IT security; (2) improved support\nof contractors that work on IT systems; and (3) more representation\nof individuals with IT technical expertise on the IT investment review\nboards.\n\n       An official from the Laboratory Division\xe2\x80\x99s project management\noffice told us that he first became aware of the Plan when training was\nannounced for the new ITIM process in February 2002. Another\nofficial from the Laboratory Division told us that to his knowledge, no\none from the Laboratory Division was consulted by the ITIM contractor\nprior to the preparation of the Plan. He told us that the Laboratory\nDivision\xe2\x80\x99s current process was working fine and not in need of change.\n\n\n\n                                  - 70 -\n\x0c      Additionally, Inspection Division personnel, including individuals\nfrom the MPMOU, told us (as of June 2002) they were only consulted\nby the ITIM contractor as to how they acquired IT, not for their project\noversight role.\n\n        An official from the Information Resources Management Section\ncited the insufficient amount of time allotted to prepare the Plan as the\nmain cause for the limited involvement from ITIM users. As we\npreviously mentioned, the FBI waited until December 2001 to engage\nthe ITIM contractor to develop the Plan, despite learning of the DOJ\xe2\x80\x99s\nrequirements to prepare a plan in January 2001. The ITIM Program\nOffice Manager stated that the former Chief Financial Officer did not\ninitially approve the use of an outside contractor to develop the Plan,\ncausing a delay in hiring the contractor. The former Chief Financial\nOfficer confirmed to us that there were initial concerns in using an\noutside contractor to develop a management process that affects how\nthe IT budget is allocated and spent. Because the DOJ required\ninitiation of the ITIM process during the FY 2004 budget cycle (which\nfor the FBI begins in March), there was limited time between the\ndevelopment of the Plan (December 2001) and the initiation of the ITIM\nprocess (March 2002). In fact, the FBI only gave the contractor\napproximately two weeks to write the Plan because of the impending\ndeadline to submit the Plan to JMD. As a result, FBI personnel told us\nthat the ITIM contractor did not have ample time to include more ITIM\nusers in the Plan\xe2\x80\x99s development.\n\n       While FBI officials from the Information Resources Management\nSection acknowledged the ITIM contractor\xe2\x80\x99s time constraints in\ndeveloping the Plan, they also stated that the Plan is only a draft, and\nwill be modified as the ITIM process is pilot tested. Additionally,\nbecause the three IT investment review boards established by the ITIM\nprocess include representatives from the major divisions that manage\nIT projects, officials from the Information Resources Management\nSection told us that there is significant opportunity for input into\nrefining the ITIM process as it is being pilot tested.\n\n       Despite the Information Resource Management Section\xe2\x80\x99s position\nthat the pilot test provides ample opportunity for input into refining the\nITIM process, in our judgment, the ITIM Program Office, along with the\nITIM contractor, continues to develop the ITIM process without\nincorporating sufficient input from relevant stakeholders. For example,\na manager from the enterprise architecture office stated to us in\nJuly 2002 that the ITIM Program Office had not requested his\nparticipation during development of the control phase of the ITIM\n\n\n                                  - 71 -\n\x0cprocess. This individual told us the enterprise architecture function\nshould have a role in enhancing the control and evaluate phases of the\nITIM process, but has not had the opportunity to demonstrate this role.\nAdditionally, the process for the development of the control phase has\nnot substantially changed from the select phase: the ITIM contractor,\nsupervised by the ITIM Program Office, writes the policies and\nprocedures which are then pilot tested by the ITIM users. In our\njudgment, this approach is not conducive to a process whose success\ndepends on institutionalization and buy-in from ITIM users.\n\nc. Summary\n\n       In our judgment, the lack of involvement by relevant ITIM users\ninhibits management buy-in to the ITIM process. If there had been\nmore participation in the development of the Plan, some of the\nconcerns stated above by key ITIM users might have been mitigated.\nThe FBI must address these concerns to facilitate the\ninstitutionalization and buy-in the of the ITIM process, and ultimately\nimprove its effectiveness.\n\nd. Recommendations\n\n      We recommend that the Director of the FBI ensure:\n\n17. The ITIM Program Office and the ITIM contractor incorporate the\n    input from various ITIM users, including those from the\n    enterprise architecture office, the CJIS Division, the Laboratory\n    Division, and the Inspection Division as the control and evaluate\n    phases of the ITIM process are being developed and refined. This\n    input should be solicited through working group sessions\n    scheduled on a periodic basis.\n\n18. The ITIM process is modified so that the Technical Review Board\n    and Enterprise Architecture Technical Committee perform a\n    business architecture compliance review of IT project proposals to\n    ensure these proposals support the mission of the FBI.\n\n(3) The Project Management Function\xe2\x80\x99s Support of the ITIM\n    Process\n\n      The FBI\xe2\x80\x99s project management function needs improvement to\nadequately support the ITIM process, especially in the control and\nevaluate phases of the process. The FBI recognizes the importance of\nupgrading the project management function. In particular, the Plan\n\n\n                                 - 72 -\n\x0cstates that the project management office must fulfill a critical role in\nsupporting the Project Oversight Committee. In addition to the Plan,\nthe FBI has taken other steps towards improving its project\nmanagement function. Specifically, in June 2002, the FBI announced\nplans to create an Office of Programs Management. The Office of\nPrograms Management will serve as a centralized project management\noffice49 that FBI officials from this office and the Information Resources\nManagement section expect to play a key role in implementing the\nITIM process. Despite the progress being made, the FBI still has\ncritical areas to address, such as integrating a project management\nmethodology with its ITIM process.\n\na.   Relationship Between Project Management and ITIM\n\n       Numerous legislative mandates, including the Results Act and\nthe Clinger-Cohen Act, require federal agencies to establish and\nmaintain processes for managing systems throughout their life-cycle.\nThese legislative mandates indicate that basic project management\npractices are essential if an organization is to ensure that its IT\nprojects have established cost, schedule, and technical performance\nbaselines that are monitored throughout the project\xe2\x80\x99s life-cycle.\nAdditionally, project management is fundamental to supporting an\nITIM process. In particular, the control phase of an ITIM process\nrequires an organization to have a project management function. For\nexample, IT project oversight, which encompasses basic project\nmanagement practices, must be implemented for an organization to\nachieve Stage Two maturity. However, the Framework does not by\nitself provide a comprehensive model for how an organization should\ndevelop its project management function.\n\n      According to the Framework, an ITIM process is not a substitute\nfor good project management. While an ITIM process takes an\nenterprise-wide focus, good project-level management forms the\nfoundation for successful IT investments.\n\n       In our judgment, for the FBI\xe2\x80\x99s project management function to\neffectively support its ITIM process, the Bureau must have: (1) a fully\noperational centralized project management office whose\nresponsibilities are directly integrated with the ITIM process, and\n(2) a standardized project management methodology that is\n\n       49\n          In this context, a centralized project management office is independent of\nany division. As a result, the Project Management Executive, who heads the Office\nof Programs Management, reports to the Director.\n\n\n\n                                       - 73 -\n\x0cintegrated with the ITIM process. Because of the importance of these\nefforts, we assessed the FBI\xe2\x80\x99s progress in integrating these areas with\nits ITIM process.\n\nb. Importance of a Centralized Project Management Office\n\n      The Plan recommends that project teams be staffed from a\n\xe2\x80\x9cpool\xe2\x80\x9d of managers and developers maintained in the project\nmanagement office. These project teams would not be dedicated to\nsolely one division, function, or application; instead, these teams\nwould work on all types of IT projects across the Bureau. According to\nthe Plan, this approach has many benefits, including:\n\n     \xe2\x80\xa2    critical IT skills are available across all projects;\n\n     \xe2\x80\xa2    personnel have more opportunities to work in multiple\n          environments, which creates a richer, more interesting job\n          environment;\n\n     \xe2\x80\xa2    expertise across projects enhances and encourages the use of\n          best practices; and\n\n     \xe2\x80\xa2    managers are better able to assess IT personnel as they perform\n          in multiple project environments.\n\n      We concur with the Plan\xe2\x80\x99s recommendations. Although the Plan\ndoes not specifically state that the project management office should\nbe centralized (independent of any division), in our judgment, such a\nstructure is most conducive to attaining the benefits listed above.\n\n      In addition to the above benefits, a centralized project\nmanagement office can ensure that IT project teams are following a\nstandardized project management methodology that is integrated with\nthe ITIM process. In our judgment, this added control is especially\nimportant to the FBI since we previously concluded that the FBI\xe2\x80\x99s three\nmain divisions that manage IT projects (the IRD, CJIS, and Laboratory\nDivisions) have not been consistently using a standardized project\nmanagement methodology.\n\nc.       Importance of a Standardized Project Management\n         Methodology\n\n    The DOJ recognized the importance of integrating project\nmanagement with the ITIM process. In January 2001, it issued DOJ\n\n\n                                       - 74 -\n\x0cOrder 2880.3 to require components to manage IT investments in a\nway that demonstrates good stewardship, complies with applicable\nlaws, and accomplishes the agency\xe2\x80\x99s diverse mission. Among its\npolicies, the Order required each DOJ component to establish an ITIM\nprocess that is integrated with a structured system development life-\ncycle methodology. While the FBI is mandated to use the DOJ\xe2\x80\x99s\nSystem Development Life-Cycle methodology, we previously stated in\nthis report that it has not been used consistently.\n\nd. Results of Our Assessment of the FBI\xe2\x80\x99s Progress in\n   Integrating its ITIM Process with the Responsibilities of a\n   Centralized Project Management Office\n\n      As discussed below, we concluded that the FBI has recently\nmade progress in integrating its ITIM process with the responsibilities\nof a centralized project management office. Not only does the FBI\nrecognize the importance of this integration, but it has taken major\nsteps towards incorporating the ITIM process with the responsibilities\nof a centralized project management office. This progress was\nevidenced by: (1) how the Plan defined the role of the project\nmanagement function, and (2) the FBI\xe2\x80\x99s recent efforts to establish a\ncentralized project management office.\n\n      The Plan recommends centralization of IT investment\nmanagement through the use of IT investment review boards that\nhave Bureau-wide oversight. Of the FBI\xe2\x80\x99s three IT investment review\nboards, the Project Oversight Committee has the primary responsibility\nfor controlling IT projects. Additionally, the Plan calls for a project\nmanagement office, a subcommittee of the Project Oversight\nCommittee, to have discretion in managing IT projects Bureau-wide.\n\n      Specifically, the Plan defines how the primary responsibilities of\nthe project management office must be integrated with the activities\nof the ITIM process, particularly during the control and evaluate\nphases. These responsibilities include:\n\n   \xe2\x80\xa2   ensuring that resources, funding, and schedule timeframes are\n       reasonable for each individual project;\n\n   \xe2\x80\xa2   determining what staff and funding are needed for a project, and\n       assigning staff and funding accordingly;\n\n\n\n\n                                 - 75 -\n\x0c   \xe2\x80\xa2   providing advice and counsel to internal project teams in the\n       execution of ITIM activities;\n\n   \xe2\x80\xa2   providing a consistent set of project management tools and\n       processes for ITIM projects;\n\n   \xe2\x80\xa2   providing tools to project team members, such as Gantt charts,\n       Pertt charts, and Microsoft Project;\n\n   \xe2\x80\xa2   providing governing responsibility and oversight to day-to-day\n       project managers; and\n\n   \xe2\x80\xa2   determining whether project goals are achieved on time, on\n       budget, and as designed.\n\n       We were told in June 2002 that the Director of the FBI approved\nthe creation of a centralized project management office, whose chief\nexecutive would report to the Director.50 This project management\noffice, which would be independent of all other FBI divisions, would\nhave the primary responsibility of managing projects in the Bureau.\nThese projects would include, but not be limited to, information\ntechnology. The proposed mission for this new office is: \xe2\x80\x9cTo assist the\nFBI in effectively managing, implementing, and deploying high-\npriority, complex and high risk development projects of high dollar\nvalue to successfully support the FBI\xe2\x80\x99s operational mission.\xe2\x80\x9d To\nachieve this mission, this office will be:\n\n   \xe2\x80\xa2   developing a repeatable process for the efforts described in the\n       mission statement (defined above) and for training a skilled\n       corps of FBI project management subject matter experts;\n\n   \xe2\x80\xa2   advising on program management and acquisition-planning\n       related organizational issues, proposals, and strategies;\n\n   \xe2\x80\xa2   providing direct project management support in developing the\n       crucial technology infrastructure for FBI investigation operations;\n       and\n\n   \xe2\x80\xa2   coordinating organizational resource allocation and management\n       services and supporting the FBI\xe2\x80\x99s mission and priorities.\n\n\n       50\n          The FBI is calling this office the \xe2\x80\x9cOffice of Programs Management.\xe2\x80\x9d As\nplanned by the FBI, this office will be under the Director\xe2\x80\x99s office and independent of\nany division.\n\n\n                                        - 76 -\n\x0c      In addition, the Office of Programs Management has the\nfollowing core functions for which it will ultimately be responsible:\n(1) system engineering, (2) schedule, (3) budget, (4) risks,\n(5) contract management, (6) certification and accreditation of IT\nsystems, (7) configuration management, and (8) quality assurance.\n\n       In our judgment, the creation of the Office of Programs\nManagement represents a critical first step towards centralizing the\nproject management function and improving its effectiveness.\nAdditionally, officials from the Information Resources Management\nSection and the Office of Programs Management have told us that they\nare working together to facilitate the integration of the responsibilities\nof the eight core functions listed above. The ITIM process needs the\nfull support of the Office of Programs Management to implement the\ncontrol and evaluate phases of the Plan. Therefore, in our judgment,\nthe FBI should continue its efforts to integrate the responsibilities of\nthe Office of Programs Management with the ITIM process.\nSpecifically, a plan should be developed that outlines activities that\nmust be performed to complete the integration, along with reasonable\nsuspense dates. Additionally, this plan should provide the criteria and\nthresholds that the Office of Programs Management will use to select\nIT projects for review.\n\ne. Results of Our Assessment of the FBI\xe2\x80\x99s Progress in\n   Integrating its ITIM Process with a Standardized Project\n   Management Methodology\n\n       We concluded that the FBI has not taken the necessary actions\nto integrate the ITIM process with a standardized project management\nmethodology. While officials from the Information Resources\nManagement Section have acknowledged to us that the ITIM process\nneeds to be integrated with a standardized project management\nmethodology, they have not taken sufficient action to ensure that\nthese processes are integrated in a timely manner. This conclusion is\nevidenced by the Information Resources Management Section\xe2\x80\x99s lack of\ncoordination with the Inspection Division\xe2\x80\x99s Major Project Management\nOversight Unit (MPMOU), as previously reported in this section.\nAdditionally, as discussed in the following paragraphs, the FBI risks\nduplicating efforts in managing IT projects if it implements the control\nand evaluate phases of the ITIM process without integrating these\nphases first with a standardized project management methodology.\n\n\n\n\n                                  - 77 -\n\x0c      To improve the FBI\xe2\x80\x99s ability to manage projects, including IT\nprojects, the prior FBI Director requested that the MPMOU establish a\nstandardized project management methodology for Bureau-wide use.\nIn October 2001, the MPMOU completed the Project Management\nProcess and submitted it to executive management for approval. The\nProject Management Process, which incorporates the DOJ\xe2\x80\x99s System\nDevelopment Life-Cycle methodology, provides a framework that\nencompasses all phases of a project\xe2\x80\x99s life-cycle, including planning,\ndeveloping, support, and disposal.\n\n      Personnel from the MPMOU stated to us that the Project\nManagement Process provides a mechanism to fulfill certain\nrequirements of the ITIM process. Specifically, personnel from the\nMPMOU told us that the project management process facilitates the\nITIM process by:\n\n  \xe2\x80\xa2   providing documentation to support investment decisions that\n      span the life-cycle of the IT investment;\n\n  \xe2\x80\xa2   providing a select, control, evaluate approach to managing\n      validated IT needs;\n\n  \xe2\x80\xa2   providing quantifiable measurements for monitoring cost,\n      schedule, and performance baselines and processes for\n      identifying baseline breaches;\n\n  \xe2\x80\xa2   providing an executive oversight forum for monitoring the\n      management of IT investments; and\n\n  \xe2\x80\xa2   acknowledging the interdependencies between cross-cutting\n      processes.\n\n      According to MPMOU personnel, given their knowledge of the\nFBI\xe2\x80\x99s requirement to develop an ITIM process, they made repeated\nattempts beginning in 2001 to work with individuals from the\nInformation Resources Management Section to develop these\nprocesses concurrently.\n\n      In November 2001, personnel from the MPMOU prepared a\npresentation entitled \xe2\x80\x9cProject Management Process Compatibility with\nthe ITIM Process\xe2\x80\x9d to show appropriate individuals from the IRD the\nsimilarities between the two processes. However, according to MPMOU\npersonnel, individuals from the IRD who were managing the\ndevelopment of the ITIM process never gave MPMOU the opportunity\n\n\n                                - 78 -\n\x0cto make their presentation. In April 2002, after the development and\ninitiation of the ITIM process, the MPMOU sent an electronic\ncommunication to the Director\xe2\x80\x99s office explaining the need to integrate\nthese processes. The electronic communication stated that integration\nof these processes would improve efficiencies, streamline reporting\nand paperwork requirements, and improve the FBI\xe2\x80\x99s compliance with\napplicable regulations, including DOJ Order 2880.3. As of\nJune 2002, no additional action had been taken by the Information\nResources Management Section to integrate these processes.\n\n       Despite the efforts by the MPMOU to integrate the two\nprocesses, the Information Resources Management Section (with the\nsupport of the ITIM contractor) developed and began implementation\nof the FBI\xe2\x80\x99s IT Investment Model and Transition Plan without\nattempting to integrate it with the Project Management Process. Until\nthe FBI integrates these two processes, the FBI will not be in\ncompliance with DOJ Order 2880.3. Additionally, the FBI will be\nunable to effectively implement the control phase and evaluate phases\nof the ITIM process. Further, the FBI risks inefficient use of resources\nas a result of the duplication of efforts that could occur if the FBI fails\nto integrate these processes. FBI officials from the Information\nResources Management Section have acknowledged to us that they\nmust integrate the control and evaluate phases of the ITIM process\nwith a standardized project management methodology. Despite their\nrecognition of this need, as of June 2002 they did not have the details\nof how or when this will occur.\n\nf. Summary\n\n       Although the FBI has taken a critical first step in (1) centralizing\nits project management structure, and (2) incorporating the\nresponsibilities of the Office of Programs Management with the ITIM\nprocess, the FBI must take further action in integrating its ITIM\nprocess with a standardized project management methodology.\nWithout this further action, the FBI\xe2\x80\x99s project management function will\nnot adequately support the ITIM process. Consequently, the FBI risks\nineffective execution of its control and evaluate phases as well as\ninefficient use of resources in managing its IT investments.\n\n\n\n\n                                  - 79 -\n\x0cg. Recommendations\n\n      We recommend that the Director of the FBI ensure:\n\n19.   The FBI prepares a plan that specifically details how the project\n      management office will support the ITIM process. This plan\n      should include the project management office\xe2\x80\x99s criteria and\n      thresholds for: (a) selecting IT projects to manage, and\n      (b) identifying projects that the Project Oversight Committee will\n      review.\n\n20.   The FBI develops and implements a specific plan detailing how\n      and when it will integrate the ITIM process with a system\n      development life-cycle methodology such as the Project\n      Management Process.\n\n(4) The Enterprise Architecture Function\xe2\x80\x99s Support of the ITIM\n    Process\n\n      The FBI\xe2\x80\x99s enterprise architecture function needs improvement to\nadequately support the ITIM process. The FBI has taken a critical first\nstep in establishing an enterprise architecture framework with a\nlimited amount of time and resources dedicated to this effort. Despite\nthe progress being made, the lack of a fully developed enterprise\narchitecture framework will hamper the FBI\xe2\x80\x99s ability to advance\nthrough the ITIM maturity framework.\n\na.    Importance of Having Support from the Enterprise\n      Architecture Function\n\n      Enterprise architecture is the organization-wide blueprint that\ndefines an entity\xe2\x80\x99s functions and systems, including IT systems. It\nprovides a comprehensive view (through models, narratives, and\ndiagrams) of the interrelationships of an organization\xe2\x80\x99s operations and\nstructures and how these structures align with the organization\xe2\x80\x99s\nmission. The Clinger-Cohen Act of 1996 recognizes the\ninterrelationship between enterprise architecture and IT investment\nmanagement by requiring federal agencies to develop an enterprise\narchitecture.\n\n\n\n\n                                 - 80 -\n\x0c     In a review of enterprise architecture use in the federal\ngovernment, the GAO stated in its February 2002 report:51\n\n      The architecture describes the enterprise\xe2\x80\x99s operations in\n      both (1) logical terms, such as interrelated business\n      processes and business rules, information needs and flows,\n      and work locations and users, and (2) technical terms,\n      such as hardware, software, data, communications, and\n      security attributes and performance standards. It provides\n      these perspectives both for the enterprise\xe2\x80\x99s current or\n      \xe2\x80\x9cas is\xe2\x80\x9d environment and for its target or \xe2\x80\x9cto be\xe2\x80\x9d\n      environment, as well as a transition plan for moving from\n      the \xe2\x80\x9cas is\xe2\x80\x9d to the \xe2\x80\x9cto be\xe2\x80\x9d environment. Enterprise\n      architecture development, implementation, and\n      maintenance is a basic tenet of effective IT management.\n      Managed properly, these architectures can clarify and help\n      optimize the interdependencies and interrelationships\n      among an organization\xe2\x80\x99s business operations and the\n      underlying IT infrastructure and applications that support\n      these operations. Employed in concert with other\n      important IT management controls, such as portfolio based\n      capital planning and investment control practices,\n      enterprise architecture frameworks can greatly increase\n      the chances that organizations\xe2\x80\x99 operational and IT\n      environments will be configured in such a way as to\n      optimize mission performance. Our experience with\n      federal agencies has shown that attempting to modernize\n      information technology environments without an enterprise\n      architecture to guide and constrain investments often\n      results in systems that are duplicative, not well integrated,\n      unnecessarily costly to maintain and interface, and\n      ineffective in supporting mission goals.\n\n\n\n\n      51\n         See \xe2\x80\x9cINFORMATION TECHNOLOGY: Enterprise Architecture Use Across the\nFederal Government Can Be Improved\xe2\x80\x9d (GAO-02-6).\n\n\n\n                                   - 81 -\n\x0c      According to the Framework, achieving IT investment maturity\ndepends not only on implementing the ITIM critical processes, but also\non other good management attributes such as the effective use of\nhuman capital, training, enterprise architecture, and software\nmanagement. Specifically, an established enterprise architecture\nsupports the ITIM process by facilitating an organization\xe2\x80\x99s\nadvancement through the maturity stages of the Framework.\n\n      Achieving Stage Two maturity requires an organization to,\namong other things: (1) identify its IT projects and systems;\n(2) identify its business and user needs; and (3) select IT projects that\nalign with those business and user needs. An organization\xe2\x80\x99s enterprise\narchitecture would assist in the implementation of this critical\nprocesses by identifying the needs between the entity\xe2\x80\x99s current IT\nsystems and processes and its target or future IT system environment.\n\n      Achieving Stage Three maturity52 is dependent on a functioning\nenterprise architecture framework. The Plan states that to advance to\nStage Three maturity, the FBI will a need a formal enterprise\narchitecture committee to assess the IT portfolio for enterprise\narchitecture compliance.\n\n      Achieving Stage Four maturity requires further integration of the\nenterprise architecture function with the ITIM process.53 The Plan\nstates that the FBI will have to completely integrate its enterprise\narchitecture framework to enhance the management of its IT portfolio.\n\n      To respond to the importance of developing and overseeing\nenterprise architecture management in the Federal government, the\nGAO developed a maturity framework for enterprise architecture\nmanagement that can be used in determining agencies\xe2\x80\x99 development,\nimplementation, and maintenance of these architectures. The\nmaturity framework, developed in 2001, is based on the core elements\nnecessary for an organization to achieve effective enterprise\narchitecture management. These core elements are arranged into a\n\n      52\n        According to the Framework, Stage Three maturity is managing IT\ninvestments as a complete portfolio.\n      53\n           According to the Framework, Stage Four maturity is improving the\ninvestment process through process evaluation techniques that focus on\nenhancing the performance and management of the organization\xe2\x80\x99s IT investment\nportfolio.\n\n\n\n                                    - 82 -\n\x0cseries of five hierarchical stages based on the implicit dependencies\namong these elements. This framework is consistent with other\nmaturity frameworks, including the ITIM framework. The framework\xe2\x80\x99s\nfive stages of enterprise architecture management maturity are\ndescribed in Appendix 5 of this report.\n\n       To assess the status of federal agencies\xe2\x80\x99 efforts to develop,\nimplement, and maintain enterprise architectures, the GAO surveyed\n116 agencies (including the FBI) in 2001 using a questionnaire that\nwas based on the core elements of the enterprise architecture maturity\nframework. The GAO published the results of this survey in its\nFebruary 2002 report on enterprise architecture (\xe2\x80\x9cINFORMATION\nTECHNOLOGY: Enterprise Architecture Use Across the Federal\nGovernment Can Be Improved\xe2\x80\x9d). The GAO indicated in the report that\nof the 116 agencies surveyed, 98 reported meeting the minimum\ncriteria necessary for Stages One or Two \xe2\x80\x94 creating enterprise\narchitecture awareness or building an enterprise architecture\nmanagement foundation. In contrast, only five agencies reported\nsatisfying the practices that GAO stated are needed to effectively\nmanage enterprise architecture activities (Stages Four or Five).\n\n      The results of the GAO survey, completed by the FBI in\nJuly 2001, indicated that the FBI is in Stage One of the enterprise\narchitecture maturity framework.54 According to the GAO, Stage One\nmaturity is characterized by either no plans to develop and use an\nenterprise architecture, or plans and actions that do not yet\ndemonstrate an awareness of the value of having and using one.\nWhile stage one agencies may have initiated some enterprise\narchitecture core elements, these agencies\xe2\x80\x99 efforts are inconsistent\nand unstructured, and do not provide the management foundation\nnecessary for successful enterprise architecture development.\n\n      Specifically, the GAO reported that the FBI needed to fully\nestablish the management foundation that is necessary to begin\ndeveloping, implementing, and maintaining an enterprise architecture.\nWhile the FBI implemented most of the core elements associated with\nestablishing the management foundation, it had not yet established a\nsteering committee or group that has responsibility for directing and\noverseeing the development of the architecture.\n\n\n\n\n     54\n          The FBI\xe2\x80\x99s survey results are depicted in Appendix 6 of this report.\n\n\n\n                                        - 83 -\n\x0c      In addition, the GAO indicated that although establishing the\nmanagement foundation is an essential first step, important further\nsteps still need to be taken for the FBI to fully implement the set of\npractices associated with effective enterprise architecture\nmanagement. These include having a written and approved policy for\ndeveloping and maintaining the enterprise architecture and requiring\nthat IT investments comply with the architecture.\n\n       We determined that the FBI\xe2\x80\x99s enterprise architecture function\ndoes not adequately support its ITIM process. Although the enterprise\narchitecture office has provided support to the ITIM process during the\npilot test of the select phase, this support needs to be enhanced. Our\nconclusion is based on the FBI not having a fully established enterprise\narchitecture.\n\nb. Results of Our Assessment of the FBI\xe2\x80\x99s Progress Towards\n   Fully Establishing an Enterprise Architecture\n\n      We concluded that although the FBI has not fully established an\nenterprise architecture, it is taking important steps to establish one.\nSpecifically, personnel from the enterprise architecture office told us\nthat a baseline architecture is being developed in a data repository,\nwhich will ultimately be maintained on the FBI\xe2\x80\x99s Intranet. This data\nrepository, when complete, will describe how all of the FBI\xe2\x80\x99s IT\nsystems align with the business processes of the Bureau. Additionally,\nthe enterprise architecture office is developing a technical reference\nmodel that will outline the technical architecture of the Bureau\xe2\x80\x99s IT\nsystems. Also, this office is creating a commercial off-the-shelf\nroadmap of all commercially available hardware and software that will\ncomply with the FBI\xe2\x80\x99s technical architecture.\n\n       Despite the limited staffing of the enterprise architecture office,\nthis office has made progress towards building a foundation for an\nenterprise architecture function.55 Given the importance of enterprise\narchitecture to ensure successful IT investment management, coupled\nwith the size and complexity of the FBI\xe2\x80\x99s IT infrastructure, we\nconcluded that additional staffing and management attention to this\narea is warranted.\n\n\n\n       55\n          As of July 2002, the FBI had two full-time employees solely focused on\nenterprise architecture. We were told by officials in the Information Resource\nManagement Section that there were two vacant positions for the enterprise\narchitecture office that were expected to be filled.\n\n\n                                       - 84 -\n\x0c      Despite the progress of the enterprise architecture office, not\nhaving a fully established enterprise architecture framework hampers\nthe ITIM process. As we previously mentioned, the ITIM process\ndepends on enterprise architecture functions to fulfill critical processes\nin the Framework. An organization\xe2\x80\x99s enterprise architecture would\nassist in the implementation of each of these critical processes, none\nof which the FBI has implemented as of June 2002. The following\nparagraph describes several causes for the FBI not having a fully\ndeveloped enterprise architecture framework that adequately supports\nthe ITIM process.\n\n       Personnel from the FBI\xe2\x80\x99s enterprise architecture office told us\nthat the FBI has only recently paid significant attention to developing\nan enterprise architecture. According to the GAO, the FBI\xe2\x80\x99s lack of\nattention to enterprise architecture is not much different from other\nfederal agencies. Historically, agency executives have not fully\nunderstood the value of enterprise architectures. Therefore, these\ntools have lacked the executive sponsorship necessary to become a\nfunding priority. In addition, human capital expertise in this area has\nbeen scarce at federal agencies. As a result, the risk is heightened\nthat federal agencies will proceed with investment decisions without\nthe benefit of this architectural context and will end up with systems\nthat limit mission performance, often after a significant and unwise use\nof funds. Specifically, the GAO stated in its June 2002 testimony:\n\xe2\x80\x9cThe successful development and implementation of an enterprise\narchitecture, an essential ingredient of an IT transformation effort for\nany organization and even more important for an organization as\ncomplex as the FBI, will require, among other things, sustained\ncommitment by top management, adequate resources, and time.\xe2\x80\x9d\n\nc.   Summary\n\n      Because the FBI does not have a fully developed enterprise\narchitecture, the FBI will have difficulty in achieving more mature IT\ninvestment processes such as managing its IT investments as a\ncomplete portfolio and improving the investment process through\npost-implementation reviews.\n\nd.   Recommendation\n\n      We recommend that the Director of the FBI ensure:\n\n21. The FBI continues its efforts to establish a comprehensive\n    enterprise architecture. The FBI must also develop and\n\n\n                                  - 85 -\n\x0c       implement a specific plan to integrate the ITIM and enterprise\n       architecture processes, even as these processes are being further\n       refined and developed.\n\n(5) Summary of the FBI\xe2\x80\x99s Ability to Improve its IT Investment\n    Practices\n\n       We determined that the FBI must take additional actions to\nimprove its IT investment practices. Not only will these actions\nfacilitate the building of an IT investment foundation (Stage Two\nmaturity), but these actions will also be essential for any advancement\nbeyond Stage Two. In summary, the FBI must:\n\n   \xe2\x80\xa2   fully develop and document the FBI\xe2\x80\x99s policy and procedures for\n       IT investment management, especially in the control and\n       evaluate phases;\n\n   \xe2\x80\xa2   increase the participation of ITIM users in developing and\n       refining the ITIM process as the pilot test continues;\n\n   \xe2\x80\xa2   integrate a standardized project management methodology with\n       the ITIM process; and\n\n   \xe2\x80\xa2   continue to develop an enterprise architecture framework.\n\n      The FBI\xe2\x80\x99s efforts in these areas are crucial for it to successfully\nimprove its IT investment maturity, and ultimately enhance mission\nperformance.\n\nC. Trilogy Case Study\n\n       To determine how the FBI\xe2\x80\x99s IT investment management\npractices affected a major IT project, we performed a case study of\nthe FBI\xe2\x80\x99s Trilogy project. In section A of this finding, we concluded\nthat the FBI was not fully implementing any of the critical processes\nnecessary for successful IT investment management, including the\nmost fundamental critical processes that are associated with the\nFramework\xe2\x80\x99s Stage Two maturity. Because our analysis in Section A of\nthis finding was made on an organizational level, in our case study we\nassessed how the FBI\xe2\x80\x99s non-implementation of Stage Two critical\nprocesses affected an individual project. Next, we examined the FBI\xe2\x80\x99s\ninternal assessments of Trilogy. Finally, we assessed the FBI\xe2\x80\x99s\nongoing deployment of new computer hardware, software, and\nnetworks to its field offices.\n\n\n                                  - 86 -\n\x0c       We selected Trilogy for our case study because it is currently the\nFBI\xe2\x80\x99s largest ongoing IT project, with $458 million in total\nappropriations as of June 2002. Trilogy\xe2\x80\x99s purpose is to upgrade the\nFBI\xe2\x80\x99s: (1) hardware and software or Information Presentation\nComponent (IPC), (2) communication networks or Transportation\nNetwork Component (TNC), and (3) five most important investigative\napplications or User Applications Component (UAC). The IPC and TNC\nupgrades will provide the physical infrastructure needed to run the\napplications from the UAC portion. The UAC portion is intended to\nupgrade and consolidate 5 of the FBI\xe2\x80\x99s 42 investigative applications.\nBecause there are 37 other investigative applications and\napproximately 160 non-investigative applications that Trilogy will not\ninclude, Trilogy is only a starting point toward upgrading the FBI\xe2\x80\x99s\nentire IT infrastructure.\n\n       When discussing the state of the FBI\xe2\x80\x99s IT systems and the\nbenefits Trilogy could bring, one Special Agent-In-Charge told us that\n\xe2\x80\x9cTrilogy must improve the FBI\xe2\x80\x99s IT systems. There is just no other\nway that agents can continue operating with such limited abilities.\xe2\x80\x9d A\nsenior FBI official stated to the Senate Judiciary Committee in\nJuly 2002 that agents must go through 12 screens just to upload one\ndocument in ACS. She further stated that the process is even more\ndifficult because \xe2\x80\x9cthere\xe2\x80\x99s no mouse, there\xe2\x80\x99s no icon, there\xe2\x80\x99s no year\n2000 look to it, it\xe2\x80\x99s all very keyboard intensive.\xe2\x80\x9d While FBI officials\nstated that Trilogy is not intended to provide the FBI with a state-of-\nthe-art IT system, it lays the technological foundation so that an\neffective information system can be built. The implementation of\nTrilogy is vital to enhancing the FBI IT infrastructure, and\nconsequently to the FBI\xe2\x80\x99s mission performance.\n\n(1) Evolution of the Trilogy Project\n\n      During the 1990\xe2\x80\x99s, the FBI recognized that its IT infrastructure\nwas aging and in need of modernization. Since 1997, the FBI has\nproposed to Congress several projects intended to improve its IT\ninfrastructure and office automation.\n\n        First, the Information Sharing Initiative (ISI), a four-year project\nwith an anticipated cost of about $400 million, was presented to\nCongress in 1997. The project\xe2\x80\x99s purpose was to upgrade the FBI\xe2\x80\x99s\ncritical hardware, software, and communications capabilities and thus\nfacilitate the development and deployment of modern computer\n\n\n\n                                   - 87 -\n\x0capplications. It also would have provided secure information sharing\nwithin the FBI, and to law enforcement agencies outside of the FBI.\n\n       In November 1998, the ISI was funded by Congress with\nFY 1999 appropriations. However, expenditure of funds was\ncontingent on the approval of the implementation plan and a review of\nit by the OMB\xe2\x80\x99s IT Technology Review Board. Following the OMB\xe2\x80\x99s\nreview of the ISI plan, the FBI made minor modifications to the\nrequirements document and acquisitions strategy. By January 2000,\nthe FBI was ready to award the ISI contract. However, the Senate\nand House Appropriation Committees had not approved the\nimplementation plan. FBI officials told us that by 1999, Congress had\nbecome increasingly concerned with the FBI\xe2\x80\x99s ability to manage major\nIT projects on time and within budget. We were told by FBI officials\nthat this loss of credibility was caused by previous large-scale FBI IT\nprojects that experienced significant cost and schedule overruns.\nParticularly, those officials said that the Integrated Automated\nFingerprint Identification System and National Crime Information\nCenter both were completed millions of dollars over budget and years\nbehind schedule.\n\n       Because of the FBI\xe2\x80\x99s poor track record of managing major IT\nprojects within cost and schedule, Congressional committees\nrecommended that the FBI utilize a pilot implementation concept for\nISI, which would modernize the IT infrastructure in phases. FBI\nofficials said they resisted this concept because of concerns over\nhaving two sets of infrastructures, one old and one new. As a result,\nthe FBI abandoned the ISI initiative.\n\n       In the Spring of 2000, the FBI prepared a project plan called\neFBI, which was essentially a scaled back version of ISI. Because the\nproject was less costly, FBI officials hoped that Congress would be\nmore receptive to the project. The main difference between ISI and\neFBI was that eFBI did not have the secure electronic information\nsharing capabilities included with ISI. However, press reports\nindicated that the FBI did not receive funding for the project when DOJ\nofficials objected to certain proposed bidding procedures.\n\n      Because these plans to upgrade the FBI\xe2\x80\x99s IT infrastructure were\nnever approved, the FBI\xe2\x80\x99s IT infrastructure had not received\nmeaningful improvements since the early 1990\xe2\x80\x99s. As a result, there\nwas an increasing need for a Bureau-wide IT upgrade. According to\nFBI documentation, by September 2000:\n\n\n\n                                - 88 -\n\x0c  \xe2\x80\xa2   more than 13,000 of the desktop computers utilized by the FBI\n      were 4 to 8 years old and could not run modern software;\n\n  \xe2\x80\xa2   the communications capability (networks) between and within\n      FBI offices was up to 12 years old;\n\n  \xe2\x80\xa2   most of the network components being used were no longer\n      manufactured or supported;\n\n  \xe2\x80\xa2   most Resident Agency offices were connected to the network at\n      speeds equivalent to a 56k modem;\n\n  \xe2\x80\xa2   Special Agents were unable to reliably e-mail each other on case\n      specific information and often resorted to faxes; and\n\n  \xe2\x80\xa2   Special Agents were unable to electronically communicate\n      information to the U.S. Attorney Offices, other federal agencies,\n      and state and local law enforcement agencies.\n\n      Recognizing its credibility problems with Congress, in July of\n2000, the FBI hired a new chief information officer from the private\nsector to outline IT management. The new chief information officer\nwas tasked with submitting another major technology upgrade plan to\nCongress. That plan, called the FBI Information Technology Upgrade\nPlan (FITUP), was drafted and delivered to Congress in\nSeptember 2000. The FITUP was intended to achieve goals similar to\nthe ISI and eFBI projects. FBI officials told us that Congress appeared\nmore satisfied with the FBI\xe2\x80\x99s new IT management team, and\nconsequently appropriated $379.8 million in November 2000 to fully\nfund the FITUP over a three-year period.\n\n      The objectives of the FITUP, as defined by the FBI, were to:\n\n  \xe2\x80\xa2   provide the right hardware and software tools for the FBI\xe2\x80\x99s law\n      enforcement mission;\n\n  \xe2\x80\xa2   enable the FBI\xe2\x80\x99s investigative personnel to easily and rapidly\n      find, present, and manipulate required information; and\n\n  \xe2\x80\xa2   transport and share information quickly and efficiently across the\n      Bureau.\n\nIn November 2000, the FITUP was renamed Trilogy. A brief\ndescription of Trilogy\xe2\x80\x99s three components (IPC, TNC, and UAC) follows.\n\n\n                                 - 89 -\n\x0c       The IPC refers to how users see and interact with information.\nThe IPC provides new desktop computers, servers, and commercial-\noff-the-shelf office automation software, including a web-browser and\ne-mail to enhance usability by the agents. The original Trilogy plan\nalso included the use of thin-client desktop computers. Thin-client\ndesktop computers, according to the FITUP, utilize application software\nthat is run from the server computer, and consequently permits the\ndesktop computer to function with fewer hardware resources such as\nprocessors and memory. Other benefits to the thin-client strategy\nincluded less maintenance of software in field offices and timely\ntechnology upgrades to meet user needs. The FITUP further stated\nthat the FBI sized the departmental servers to handle the processing\ndemands imposed by the thin-client strategy.\n\n      The TNC is the complete communications infrastructure and\nsupport to create, run, and maintain the FBI\xe2\x80\x99s networks. It is intended\nto be the means by which the FBI electronically communicates,\ncaptures, exchanges, and accesses investigative information. The TNC\nincludes high capacity wide-area and local-area networks,\nauthorization security, and encryption of data transmissions and\nstorage.\n\n       The FBI combined the IPC and TNC portions for continuity when\nit requested contractor support, as both encompass physical IT\ninfrastructure enhancements. The contractor for the IPC/TNC portions\nwas signed in May of 2001. The originally scheduled completion date\nfor these components was May 2004.\n\n      The UAC defines software-based capabilities and functions that\nSpecial Agents can use to access and analyze the information they\nneed. The UAC is intended to provide the FBI with:\n\n  \xe2\x80\xa2   improved capabilities to communicate inside and outside the\n      FBI;\n\n  \xe2\x80\xa2   access to information from internal and external databases that\n      is properly authorized using primarily commercial products;\n\n  \xe2\x80\xa2   the capability to evaluate cases and patterns of crimes through\n      the use of commercial and FBI-enhanced analytical and case\n      management tools; and\n\n\n\n\n                                - 90 -\n\x0c   \xe2\x80\xa2   the ability to find information in FBI databases without having to\n       know where it is, and to search all FBI databases with a single\n       query through the use of intelligent search engines.\n\n      The UAC is also referred to as the Virtual Case File. The Virtual\nCase File is intended to replace ACS as the FBI\xe2\x80\x99s primary investigative\napplication. The goal of the Virtual Case File is to reduce agents\xe2\x80\x99\nreliance on paperwork to improve efficiency. The Virtual Case File is\nsupposed to have multi-media capability that will allow agents to scan\ndocuments, photos, and other electronic media into the case file. A\nseparate contractor was hired in June 2001 to complete the UAC\nportion of Trilogy by June 2004.\n\n(2) Accelerated Deployment of Trilogy\n\n      Even before the terrorist attacks on September 11, the FBI was\nlooking for ways to accelerate the three-year Trilogy project, given the\nFBI\xe2\x80\x99s urgent need for improved IT infrastructure. In its Quarterly\nCongressional Status Report for the period between May 14, 2001 and\nJuly 6, 2001, FBI personnel stated that it had devised a plan to\ncomplete the IPC/TNC deployment in June 2003, nearly one year\nahead of schedule, while the UAC deployment remained a three-year\nproject. However, FBI officials stated they wanted to accelerate\ndeployment of UAC.\n\n      After the terrorist attacks on September 11, 2001, the urgency\nof completing Trilogy increased. The FBI continued to explore options\nto accelerate the deployment of all three components of Trilogy. The\nFBI informed Congress in its February 2002 Quarterly Congressional\nStatus Report that it devised a new plan with the contractor to\ncomplete the deployment of the IPC/TNC phases by December 31,\n2002, which was nearly 18 months earlier than the originally planned\ncompletion date. Additionally, the FBI\xe2\x80\x99s February 2002 report stated\nthat the contractor for the UAC phase developed a plan to make ACS\nweb-enabled by July 2002. Web-enablement of ACS56 was designed to\nput ACS in a multi-media format prior to the completion of the UAC\nphase in July 2004. According to its Congressional reports, the FBI\ncould make these enhancements to Trilogy without any net increases\nto the project costs. The FBI would only need to have a portion of the\nfunding earmarked for FY 2003 available by October 30, 2002.\n\n       56\n         Web-enablement of ACS would allow the current ACS system to be\nupgraded from outdated \xe2\x80\x9cgreen screen\xe2\x80\x9d technology to a mouse, point and click\ntechnology.\n\n\n\n                                     - 91 -\n\x0c      The FBI also informed Congress in its February 2002 report, that\nwith an additional $70 million funding for FY 2002, the FBI could\nfurther accelerate the deployment of Trilogy. This acceleration would\ninclude completion of the IPC/TNC phase by July 2002 and rapid\ndeployment of the most critical analytical tools included as part of the\nUAC phase.\n\n       Congress supplemented Trilogy\xe2\x80\x99s FY 2002 budget with\n$78 million from the Emergency Supplemental Appropriations Act of\nJanuary 2002 to expedite the deployment of all three components.\nThe Emergency Supplemental Appropriations Act increased the total\nfunding of Trilogy from $379.8 million57 to $457.8 million. According\nto Trilogy documentation, the FBI obligated about $231 million as of\nJune 2002. Trilogy\xe2\x80\x99s budget by component, as of June 2002, is\ndescribed in the following table.\n\n\n\n\n       57\n         Of this amount, $107.55 million was identified by FBI management as\nfunding offsets, or cost savings, from other operations that would be replaced by\nTrilogy.\n\n\n                                       - 92 -\n\x0c                   Trilogy\xe2\x80\x99s Budget by Component\n\n                                             Revised Plan Including\n                                                the Emergency\n   Component                   Original          Supplemental\n     Area             FY        Plan           Appropriation Plan\n                     2001          $68.0                        $65.7\n                     2002          $87.8                       $184.8\n                     2003          $82.8                        $37.6\n TNC/IPC             Total       $238.6                        $288.1\n                     2001          $24.7                        $28.1\n                     2002          $46.6                        $63.8\n                     2003          $47.9                        $47.8\n UAC                 Total       $119.2                        $139.7\n Contractor\n Computer            Total         -                                 $8.0\n Specialists\n                     2001           $8.0                           $8.0\n                     2002           $8.0                           $8.0\n Project             2003           $6.0                           $6.0\n Management          Total         $22.0                          $22.0\n Total                            $379.8                         $457.8\n\n      Source: FBI budget documentation\n\n      Congress\xe2\x80\x99s willingness to provide the FBI with additional funding\nafter September 11 was not limited to Trilogy. The FBI saw an\nincrease in funding of approximately 102 percent for IT projects from\n$352.8 million FY 2001 to $714 million in FY 2002.\n\n       The IPC/TNC infrastructure enhancements are being deployed in\nthree phases in the accelerated plan. The first phase, called Fast\nTrack, is the installation of Trilogy hardware in all of the field offices\nand some of the Resident Agencies. The Fast Track deployment\nconsists of new network printers, color scanners, local area network\nupgrades, desktop workstations, and office automation software. FBI\nofficials reported that by the end of April 2002, all of the 56 field\noffices had Fast Track completed.\n\n      We were told by FBI officials that following the completion of\nFast Track, the next phase of deployment, referred to as Extended\nFast Track, was initiated, and was still continuing as of June 2002.\nUnder Extended Fast Track, the FBI: (1) installed servers and other\n\n\n                                  - 93 -\n\x0cnetwork components at field office and resident agency sites, and\n(2) deployed the hardware included under Fast Track to additional\nresident agency sites that were not included in the first phase. Also,\nthe FBI intended Extended Fast Track to correct any shortfalls in the\ndistribution of hardware to the field offices that occurred in the original\nFast Track deployment.\n\n      The final phase of the deployment, called Full Site Capability,\nrepresents the complete infrastructure upgrade. This phase will\nprovide the wide area network connectivity together with new\nencryption devices, new operating systems and servers, and new and\nimproved e-mail capability. According to June 2002 Congressional\nTestimony, Full Site Capability is expected to be completed in\nMarch 2003.\n\n       The UAC portion is also going to be deployed in two phases in\nthe accelerated plan, release one and release two. The initial Virtual\nCase File release will migrate data from the current ACS and IntelPlus\nto the Virtual Case File. The Virtual Case File will replace ACS and\nserve as the backbone of the FBI\xe2\x80\x99s information systems, replacing the\nFBI\xe2\x80\x99s paper files with electronic case files that include multi-media\ncapabilities. The first release of Virtual Case File has a targeted\ncompletion date of December 2003. This release is intended to allow\ndifferent types of users, such as agents, analysts, and supervisors, to\naccess information from their desktop computers that is specific to\ntheir individual needs. This Virtual Case File release is also intended to\nenhance the FBI\xe2\x80\x99s capability to set and track case leads, index case\ninformation, and move document drafts more quickly through the\napproval process with digital signatures.\n\n      The second release is intended to upgrade three other\ninvestigative applications into the Virtual Case File. The second Virtual\nCase File release has a targeted completion date of June 2004. It is\nintended to provide agents with Audio/Video Streaming capability and\ncontent management capability. According to FBI documentation,\ncontent management should help agents access information from the\nFBI\xe2\x80\x99s data warehouse, regardless of where in the system the\ninformation was entered, providing a single query for all of the FBI\xe2\x80\x99s\nsystems.\n\n\n\n\n                                  - 94 -\n\x0c(3) Results of Our Assessment of Trilogy Against the Stage\n    Two Critical Processes\n\n       The Framework provides the organization level processes\nnecessary for effective IT investment management. As a result, the\nFramework\xe2\x80\x99s critical processes, and in particular the Stage Two critical\nprocesses, do not necessarily ensure that individual IT projects will be\neffectively managed. However, it does ensure that, at a minimum,\nbasic selection and management control processes are in place.\n\n      As discussed in Section A of this finding, Stage Two builds the\nfoundation for successful IT investment management by establishing\nbasic IT selection and control processes for IT projects. Stage Two is\ndefined by the following five critical processes:\n\n   \xe2\x80\xa2   IT Investment Board Operation - the process for creating and\n       defining one or more IT investment boards within the\n       organization;\n\n   \xe2\x80\xa2   IT Project Oversight - the process whereby the organization\n       monitors all projects relative to cost and schedule expectations;\n\n   \xe2\x80\xa2   IT Project Identification - the process by which the IT inventory\n       is created and maintained to provide asset tracking data to\n       executive decision-makers;\n\n   \xe2\x80\xa2   Business Needs Identification - the process of identifying the\n       business needs and the associated users that drive each IT\n       project; and\n\n   \xe2\x80\xa2   Proposal Selection - the process establishing defined processes\n       used by an organization to select new IT project proposals.\n\nOur assessment of how Trilogy was managed in relation to each Stage\nTwo process is described in the following paragraphs.\n\na. IT Investment Board Operation\n\n     According to the Framework, IT investment boards have\nexecutive decision-making authority throughout the organization. This\norganization-wide perspective is necessary to ensure that only the best\n\n\n\n\n                                  - 95 -\n\x0cprojects are selected for development, and projects under\ndevelopment are being monitored with consistent policies and controls.\n\n      In section A of this finding, it was noted that the FBI did not\nhave IT investment boards operating prior to March 2002. Because\nTrilogy was initiated in September 2000, it was not selected through\nthe operation of formal IT investment boards. Additionally, because\nthe FBI\xe2\x80\x99s IT investment boards were not involved in overseeing IT\nprojects as of June 2002, Trilogy has not been subjected to board\noversight.\n\n        FBI officials have told us that most of Trilogy\xe2\x80\x99s development has\nbeen managed in a \xe2\x80\x9cstovepipe.\xe2\x80\x9d One FBI official told us that the\norganization\xe2\x80\x99s focus on Trilogy has drained the FBI of a broader view\nof IT. As a result, FBI personnel not involved in the management of\nTrilogy had little knowledge of the project\xe2\x80\x99s status and progress.\nAlthough the Trilogy management structure has changed frequently, it\nwas managed out of the IRD until March 2002. However, IRD\npersonnel who were responsible for acquiring IT products and services\nthrough contractors on IRD IT projects were not involved in Trilogy\xe2\x80\x99s\nacquisitions. Only members of the Trilogy management team\nperformed these activities. Further, FBI personnel told us there was\nlittle coordination taking place with Trilogy management and contract\nspecialists from the Finance Division or the IRD\xe2\x80\x99s unit responsible for\nprocurement of non-Trilogy IT needs. Because of the lack of\ncoordination, there is a heightened risk that resources could be spent\non potentially duplicative or non-compatible hardware, software, and\nsystems. FBI officials have told us that the IRD is in the process of\ndeveloping technical enterprise architecture that incorporates Trilogy\nrequirements to mitigate this risk.\n\nb. Project Oversight\n\n      The GAO Framework states that IT investment boards should\nmonitor all projects relative to cost, schedule, and technical baselines\nto measure the progress of IT projects under development, and the\nperformance of projects upon deployment. When an IT project is not\nperforming according to expectation, the investment boards should\nseek corrective actions to be taken.\n\n      IT investment boards have not been involved in overseeing\nTrilogy. In our judgment, the lack of project oversight from IT\ninvestment review boards contributed to the FBI not having\n\n\n\n                                 - 96 -\n\x0cestablished schedule, cost, and technical baselines for Trilogy, as of\nJune 2002.58\n\n      In terms of a cost baseline, FBI officials told us that the rapid\nprocurement and deployment of Trilogy has prevented the project\nmanagers from performing earned value management,59 as promised\nin the FITUP. While FBI officials were confident they know how much\nmoney has been spent on Trilogy to date, and how much funding has\nbeen committed, they have less assurance as to whether Trilogy is on\nbudget, over budget, or under budget.\n\n       A schedule baseline for Trilogy has never been well-established.\nFirst, FBI officials said they would complete IPC/TNC deployment in\nMay 2004. Then, they said it could be finished in June 2003. Next,\nthey said it would be finished by December 2002. After receiving\n$78 million of supplemental funding, they said it would be done by\nJuly 2002. Then, they said they could not make the July 2002\ndeadline and moved it to October 2002. As of June 2002, FBI officials\nhave said deployment will probably not be complete until March 2003.\nAlso as of June 2002, the FBI was still in the process of building a\ncomprehensive schedule of Trilogy milestones.\n\n      In terms of a technical baseline, we previously stated that the\nFBI is still developing a technical architecture framework that includes\nTrilogy hardware and software. Personnel from the enterprise\narchitecture office initially told us at the beginning of our audit that\nthey were not significantly involved in ensuring that Trilogy\nacquisitions were compatible with non-Trilogy hardware and software.\nBut, as of June 2002, the enterprise architecture office had developed\na technical reference model, although it was not finalized.\n\n      According to the FITUP, the philosophy employed in\nimplementing Trilogy was \xe2\x80\x9cto get 80% of what is needed into the field\nnow rather than 97% later. Then we can proceed in an orderly fashion\nto move toward 100% in the future.\xe2\x80\x9d Additionally, after the events of\nSeptember 11, the urgency to deploy Trilogy as quickly as possible\nincreased. FBI management told us that risks associated with this\nrapid deployment were accepted. Further, they stated that given the\n\n       58\n          Cost baselines establish the specific cost of equipment or user-applications\ndelivered. Schedule baselines establish when equipment or user-applications would\nbe delivered. Technical baselines establish the enhancements made to systems.\n       59\n         Earned value management is comparing the value of products and services\nreceived with funds that have been expended.\n\n\n                                        - 97 -\n\x0caccelerated schedule, and additional funding needed, the cost and\nschedule baselines could not be static.\n\n       While the events of September 11, 2001 affected the FBI\xe2\x80\x99s\nability to manage cost, schedule, and technical baselines, we believe\nthe risks of not establishing such baselines puts the project at a high\nrisk of failure. Although the overall success of Trilogy will not be\ndetermined for years to come, the FBI has already missed the\nJuly 2002 deadline to complete the IPC/TNC phase. In our judgment,\nthis missed deadline is a further indication that increased oversight of\nthe project is needed.\n\n      The new Trilogy project executive, hired in March 2002, has\ntaken a different approach to managing Trilogy. She has emphasized\nthe importance of having more structured oversight of the project.\nShe has been developing a comprehensive schedule for all three\ncomponents. Additionally, she has indicated that there are limitations\nto how fast Trilogy can be deployed, without risking the security of the\nsystem. In our judgment, while these actions since March 2002\nrepresent positive changes to Trilogy\xe2\x80\x99s project management function,\nthe project\xe2\x80\x99s completion time, final cost, and ultimate performance\nremain uncertain. Also, we concluded that for the Trilogy project\nmanagement function to be effective, it must include oversight from IT\ninvestment review boards to provide much needed monitoring.\n\nc. IT Project and System Identification\n\n      According to the Framework, IT project and system identification\nprovides essential information to an organization as to how its IT\nassets (such as personnel, systems, applications, hardware, software\nlicenses, etc.) are configured and relate to one another. Having a\ncomplete inventory of the organization\xe2\x80\x99s IT assets, including\ndocumentation of the configuration and technical architecture of IT\nsystems, helps ensure that IT investment review boards will select\nprojects that comply with the existing architecture in place.\nAdditionally, this process can be equated with an organization having a\nblueprint of what systems it utilizes, how those systems were created,\nand what can be done to enhance those systems.\n\n      As noted in section A of this finding, we found that the FBI did\nnot have a comprehensive inventory of all IT assets, including\ncomplete documentation of the technical architecture of its systems.\nBecause the UAC portion of Trilogy is focused on making significant\nchanges to, or possibly complete replacements of, five of the FBI\xe2\x80\x99s\n\n\n                                 - 98 -\n\x0cinvestigative systems, having documentation of the exact\nconfiguration of these systems is critical to designing the requirements\nfor UAC. According to a senior FBI official, the FBI must know what it\nhas before it can define the right solution to fix the problem. Not\nhaving the documentation of the configuration of these five\ninvestigative systems has caused the FBI to engage in a process of\nreverse engineering, which is trying to determine the structure and\ncomponents of the systems after deployment. Because the FBI has to\nperform reverse engineering on the FBI\xe2\x80\x99s five investigative systems\nthat will be migrated to the Virtual Case File, there are limitations as to\nhow rapidly UAC can be developed and deployed.\n\n       As of June 2002, the FBI was still defining the requirements for\nUAC because of the reverse engineering activities. Without knowing\nthe exact requirements, the FBI will have difficulty establishing cost\nand schedule baselines for this component of Trilogy. As a result,\nsome FBI officials told us that they believe the UAC portion of Trilogy\nis at significant risk of not being completed on schedule (in June 2004)\nor within budget.\n\nd. Business Needs Identification for IT Projects\n\n       According to the Framework, an organization should have a\nsystematic process for identifying, classifying, and organizing its\nbusiness needs and the IT projects used to support these needs. This\nprocess should allow for the identification and definition of the\nbusiness needs and specific users for all IT projects. This process can\nbe equated with knowing where the organization wants to go, based\non its mission, and the needs of its users to pursue that mission.\nWhile we concluded that the Trilogy project\xe2\x80\x99s users were identified,\nsince all users of the FBI\xe2\x80\x99s systems will be affected by the IPC/TNC\nportion of the project, we found that the specific needs of the users,\nand of the FBI as a whole, were not adequately defined before Trilogy\nwas selected and funded.\n\n      Specifically, we found that the requirements for the applications\nof the UAC portion were still being defined as of June 2002. Since\nJanuary 2002, the FBI and the contractor were participating in a Joint\nApplication Development planning process to define and prioritize the\nusers\xe2\x80\x99 operational requirements. This process brings users, designers,\nand future systems operators together to develop the applications in\norder to better establish operable and maintainable systems.\n\n\n\n\n                                  - 99 -\n\x0c       The Joint Application Development sessions represent a\nthoughtful and productive approach to ensuring that the UAC portion\nof Trilogy will adequately support agents\xe2\x80\x99 investigative activities.\nHowever, in our judgment, this process should have been initiated\nfrom the beginning of the Trilogy project.\n\ne. Proposal Selection\n\n       According to the Framework, proposal selection activities ensure\nthat the right projects are selected to support the organization\xe2\x80\x99s\nmission. The proposal selection process relies on the project and\nsystem identification process, as well as the business needs\nidentification process, so that information contained within project\nproposals include sufficient documentation of the technical\nrequirements of the projects.\n\n      While no investment boards existed at the time of Trilogy\nselection, it has been widely recognized by the Attorney General, FBI\nDirector, and Congress that an investment in the upgrade of the FBI\xe2\x80\x99s\ninformation technology was essential to the FBI meeting its mission\ngoals. The FBI\xe2\x80\x99s technology was outdated in terms of hardware,\nsoftware, user-applications, connectivity, and data sharing abilities.\nThere is little question of the FBI\xe2\x80\x99s need to select this project.\nHowever, successful execution and deployment of the project depends\non having the other control processes in place. Specifically, proposals\nshould have adequate documentation of technical requirements and\nproject risks.\n\n       We were told that some aspects of Trilogy that were submitted\nto Congress did not turn out to be technically feasible. For example,\nFBI officials told us that the thin-client strategy was not pursued\nbecause it was found that this type of network could not be achieved\ngiven the technical requirements of the FBI. Another example is web-\nenablement of the ACS, which was also discontinued when it was\nrealized that it would require more resources than anticipated. Had a\nmore rigorous proposal selection process been in place that required\nsufficient documentation of the technical requirements and risks of the\nproject, the expending of time and resources on thin-client technology\nand web-enablement of ACS may have been minimized.\n\nf. Summary\n\n      We have found that not implementing the critical processes\nassociated with Stage Two maturity has contributed to missed\n\n\n                                - 100 -\n\x0cmilestones and uncertainties associated with the remaining portions of\nTrilogy. However, the FBI\xe2\x80\x99s new Trilogy project executive has taken\npositive steps in establishing management controls and oversight to\nthe project.\n\ng.   Recommendations\n\n     We recommend that the Director of the FBI ensure:\n\n22. The IT Investment Review Boards initiate oversight of Trilogy,\n    including:\n\n     a. the establishment of cost, schedule, technical, and\n        performance baselines; and\n\n     b. tracking significant deviations from these baselines and taking\n        corrective actions as necessary.\n\n23. The technical requirements for Trilogy are adequately defined,\n    documented, and shared with other IT users.\n\n(4) The FBI\xe2\x80\x99s Internal Assessments of Trilogy\n\n      The FBI had three internal assessments performed concerning\nthe management of the Trilogy project. These assessments were done\nby the FBI\xe2\x80\x99s Inspection Division, CJIS Division, and a contractor\nperforming independent verification and validation work. The\nassessments found that the lack of baselines and general program\noversight pose potential risks for the Trilogy program meeting its\nbudget, schedule, technical, and performance goals. These\nassessments recommended that the FBI designate a program manager\nspecifically for Trilogy, and that the program manager immediately\ntake steps to establish baselines and requirements for the project.\n\n      The objective of our case study was to determine how Trilogy\nwas being managed within Stage Two of the Framework. These\nassessments go beyond that objective and address additional areas of\npotential risk within Trilogy, such as security and configuration\nmanagement. An overview of the three independent assessments\n(FBI Inspection Division Trilogy Risk Assessment, November 2001;\nTrilogy Independent Validation and Verification, December 2001; and\nCJIS Division Trilogy Assessment, January 2002) are presented in the\nfollowing paragraphs.\n\n\n\n                                - 101 -\n\x0ca. Inspection Division Trilogy Risk Assessment\n\n      Because of the size and importance of Trilogy to the FBI, the\nInspection Division\xe2\x80\x99s MPMOU issued a risk assessment report on the\nTrilogy project to the FBI Director in November 2001. This\nassessment identified areas of high risk within the acquisition,\nfinancial, requirements, and overall project management of Trilogy.\nThe areas found to be high risk included a lack of project requirements\nand baselines, the lack of a defined program organizational structure\nand program manager, and improper scheduling and cost estimates.\n\n      The report recommended that the FBI institute a short-term\nstrategy to provide interim capabilities and a long-term strategy to\nrestructure Trilogy. The report recommended that the short-term\nstrategy should include a detailed plan identifying what can realistically\nbe accomplished within a pre-determined period. It further stated that\nthe short-term plan should have a clearly defined scope so that\nprogress can be measured and quantified.\n\n      The MPMOU issued two follow-up letters to the Director in\nDecember 2001 and February 2002 to assess the FBI\xe2\x80\x99s progress in\nmitigating these risks and taking action on their recommendations.\n\n      In December 2001, the Inspection Division indicated that while\nTrilogy management acknowledged certain project risks, Trilogy\nmanagers were willing to accept aspects of those risks and move\nforward. However, personnel from the Inspection Division noted that\nFBI senior management did hire a program manager for Trilogy in\nMarch 2002.\n\n       In February 2002, Inspection Division personnel indicated that\nthere was then disagreement between them and Trilogy management\non the level of project risk for Trilogy. The Inspection Division pointed\nto a CJIS review and an outside independent validation and verification\nreport on Trilogy establishing that significant risks to the project exist,\nin the areas originally identified by the Inspection Division. The\nInspection Division then reiterated its previous recommendation that\ncalls for the development of a short and long-term strategy for Trilogy.\nInspection Division personnel told us that Trilogy management did not\nsufficiently develop a short and long-term strategy for the project as\nwas recommended.\n\n\n\n\n                                 - 102 -\n\x0cb. Trilogy Independent Validation and Verification\n\n      The IRD hired an outside contractor to obtain an independent\nperspective on Trilogy. The objective of the assessment was to\ndetermine the labor requirements, level of effort, and verification and\nvalidation tasks necessary to ensure that the Trilogy acquisition meets\nthe requirements of FBI users into the future within the established\nschedule and budget.60 The independent validation and verification\nreport, issued in December 2001, disclosed risks in the Program\nManagement of Trilogy, IPC/TNC portion, and the UAC portion of\nTrilogy, including a lack of program management structure and focus,\na lack of formal requirements, schedules, and baselines, and changes\nin the UAC/IPC/TNC portions without formal changes to contracts.\nWhile we concluded that the FBI improved the Trilogy management\nstructure through the hiring of a new project manager in March 2002,\nwe believe that risks associated with lack of formal requirements,\nschedules, and baselines still remained as of June 2002.\n\nc.   CJIS Division Trilogy Assessment\n\n       Upon reviewing the Inspection Division risk-assessment, the\nDirector requested the CJIS Division to perform an independent review\nof Trilogy to get another perspective on the project. The CJIS Division\nperformed their assessment between January 3 and January 16, 2002.\nThis assessment covered management, quality assurance,\nconfiguration management, IT security, administrative and technical\nrequirements, and technical management. It found weaknesses\nsimilar to those identified by the Inspection Division, including a lack\nof clear lines of authority, no clearly designated Program Manager, a\nlack of authority and support in the areas of quality assurance,\nsecurity, configuration management, and technical requirements, and\ninsufficient technical reviews of Trilogy documentation. While we\nconcluded that the FBI improved the Trilogy management structure\nthrough the hiring of a new project manager in March 2002, we\nbelieve there are still weaknesses in Trilogy\xe2\x80\x99s documentation of\ntechnical requirements as of June 2002.\n\nd.   Summary\n\n     The three internal risk-assessments on Trilogy found significant\nrisks associated with the management of the project. In our\n\n       60\n         Initial Independent Verification and Validation Analyses Technical Report\nwas issued on December 7, 2001 by an outside contractor.\n\n\n                                      - 103 -\n\x0cjudgment, effective IT investment management practices, including\nactive oversight from IT investment review boards would have\nmitigated these risks.\n\ne.   Recommendation\n\n     We recommend that the Director of the FBI ensure:\n\n24. The Trilogy project managers prepare an action plan to address\n    the risks identified by the three internal reports on Trilogy. This\n    plan should include (a) actions already taken to mitigate these\n    risks, (b) planned actions, including suspense dates, and (c) an\n    explanation for why some risks cannot be mitigated, if applicable.\n    The IT investment review boards should then approve this plan\n    and monitor it for implementation.\n\n(5) Deployment of Trilogy to Field Offices\n\n       In addition to assessing the Trilogy management at FBI\nheadquarters, we assessed the Fast Track deployment of Trilogy to\nfive of the largest FBI field offices: (1) New York, (2) Washington,\nD.C., (3) Los Angeles, (4) Miami, and (5) Chicago. Our objectives\nwere to assess the Fast Track deployment in terms of timeliness,\nsupport, and completion. Our goal was to identify current problems\nand recommend corrective actions, and discuss \xe2\x80\x9clessons learned\xe2\x80\x9d for\nfuture system deployments.\n\n      In her July 16, 2002 Congressional testimony before the Senate\nJudiciary Committee, the FBI Project Management Executive stated\nthat the Fast Track deployment involved the installation of Trilogy\narchitecture at the FBI\xe2\x80\x99s 56 field office locations. The installation also\nincluded as many Resident Agencies as could be completed before the\nsecond phase of the deployment (\xe2\x80\x9cFull Site Capability\xe2\x80\x9d) begins. This\narchitecture consists of new network printers, color scanners, local\narea network upgrades, desktop workstations, and Microsoft office\napplications. She also stated that by the end of April 2002,\ndeployment at all 56 FBI field offices was completed, and that Fast\nTrack is continuing to deploy this architecture to the FBI\xe2\x80\x99s\nResident Agencies.\n\na.   Timeliness of the Fast Track Deployment\n\n     The Fast Track deployment to the five field offices in our survey\nbegan as early as December 2001. The FBI Project Management\n\n\n                                 - 104 -\n\x0cExecutive stated in her testimony that \xe2\x80\x9cBy the end of April 2002,\ndeployment at all 56 FBI field offices and two Information Technology\nCenters was completed. Fast Track is continuing to deploy this\ninfrastructure to our resident agencies.\xe2\x80\x9d During our testing at five FBI\nfield offices in June 2000, we found that implementation activities were\nstill ongoing to correct deficiencies that occurred during the original\nFast Track deployment. The FBI Project Management Executive told\nus that her testimony was limited to \xe2\x80\x9cFast Track\xe2\x80\x9d and did not include\nongoing activities related to \xe2\x80\x9cExtended Fast Track.\xe2\x80\x9d\n\n        Regarding the Resident Agencies, FBI employees informed us\nthat as of June 2002, deployment to the Chicago, Los Angeles, and\nDistrict of Columbia Resident Agencies was underway or completed.\nDeployment to the Miami Resident Agencies was scheduled for\nAugust 2002, and deployment to the New York Resident Agencies was\nstill in planning.\n\n       Regarding installation of the basic Trilogy architecture by the\ncontractor, employees from all five field offices said the timing of the\narchitecture installation phase of the deployment occurred either on\nschedule or ahead of schedule.61 Most employees interviewed (ten of\neleven) said they were provided ample notice for the timing of the\ninstallation. A Telecommunications Manager in the Chicago Field Office\nsaid it was one of the FBI\xe2\x80\x99s smoothest \xe2\x80\x9crollouts.\xe2\x80\x9d Personnel from the\nLos Angeles Field Office indicated that through careful preparation they\ncut the installation phase from the three weeks scheduled to just\nseven days. Apparently, only the New York Filed Office experienced\nsignificant problems with the installation phase of the deployment.\nSpecifically, the financial management system was left inoperable and\nthey had to resort to pre-Trilogy processing to pay employees. Also,\nthe FBI Intranet traffic was not reaching the FBI mainframe computer\nbecause of information being routed through too many pathways.\n\nb. Adequacy of FBI Headquarters Support for the Fast Track\n   Deployment\n\n      Regarding FBI Headquarters support, most employees we\ninterviewed said they were provided with adequate planning and\npreparation instructions for the deployment. Employees from the\n\n       61\n        Although the timing of the installation phase occurred as scheduled, the\nExtended Fast Track deployment to all five Field Offices was still ongoing as of\nJune 2002. As discussed later, for two of the Field Offices additional installation work\nremained to be completed, and for four of the Field offices hundreds of desktops still\nremained to be delivered.\n\n\n                                       - 105 -\n\x0cNew York Field Office said FBI Headquarters did not provide\ninstructions but instead informed them to send a team to Miami to\nlearn about the deployment, and then return to New York to plan and\nprepare for it. As to whether there was sufficient communication\nbetween FBI Headquarters and the field offices, four of nine employees\nwho responded indicated that communication could have been better\nto adequately prepare the field offices for deployment.\n\n       Six of eleven employees who responded did not believe the FBI\xe2\x80\x99s\ndeployment strategy appropriately considered the individual needs of\nthe field offices. Personnel from the Chicago Field Office indicated that\nsince they had little opportunity to provide input, they had to work\naround the information and changing timelines received from FBI\nHeadquarters. A supervisory computer specialist from the Los Angeles\nField Office indicated the deployment was successful, in part, because\nthey did not use the timeline provided by FBI Headquarters. Personnel\nfrom the Miami Field Office said they provided considerable\ninformation to the contractor during the survey phase that was\nsubsequently lost. A supervisory computer specialist from the District\nof Columbia Field Office indicated concern that because offsite\nlocations were not considered, there were an insufficient number of\ncomputers to deploy.\n\nc.       Adequacy of Contractor Support for the Fast Track\n         Deployment\n\n      Eleven of the twelve employees we interviewed told us that the\nsubcontractor for the actual installation work at the field offices was\nvery helpful. Employees generally indicated that the subcontractor\nwas technically competent and professional.\n\n      Regarding support from the contractor\xe2\x80\x99s service support center,\nof ten employees who responded, three employees said they did not\nuse the service, five employees said the support provided was\ninadequate, and only two said the support was helpful.\n\n     \xe2\x80\xa2    The three employees who did not use the support center were all\n          from the Los Angeles Field Office. They indicated that personnel\n          in their field office were aware of the service, but so far had no\n          need to use it.\n\n     \xe2\x80\xa2    The five employees who said the service was inadequate said\n          that employees who worked at the center had little technical\n          background and had to assign callers \xe2\x80\x9cticket numbers\xe2\x80\x9d and refer\n\n\n                                    - 106 -\n\x0c       the calls to technicians. Often, the calls were not returned.\n       When the calls were returned, it was usually several days later\n       and often for the wrong ticket number. New York Field Office\n       personnel became so frustrated with the service that FBI\n       Headquarters eventually granted approval for them to call the\n       computer manufacturer directly.\n\n      Part of the Fast Track deployment planning included the\ncontractor conducting surveys at the field offices and resident agencies\nto identify existing equipment and installation requirements. The\nsurveys were conducted in the third and fourth quarters of 2001.\nRegarding the accuracy of the survey work performed by the\ncontractor, five of the nine employees who responded to our question\nsaid the surveys did not accurately identify the computer needs of\npersonnel at the field offices.\n\n   \xe2\x80\xa2   The Chicago Field Office personnel answered the contractor\n       survey based on their understanding that the deployment would\n       be a one-for-one exchange, or one new computer to replace\n       each existing computer. Field office personnel said that FBI\n       Headquarters later decided every employee would receive a\n       computer, which resulted in revising the deployment plans.\n\n   \xe2\x80\xa2   New York Field Office personnel also answered the survey based\n       on their understanding that the deployment would be a one-for-\n       one exchange. As a result, they indicated that the only squad\n       where everyone had a computer was the one working on the\n       investigation of the September 11, 2001 terrorist attacks.\n\n   \xe2\x80\xa2   Los Angeles Field Office personnel indicated that the contractor\n       only considered replacement of old equipment and did not obtain\n       an adequate understanding of the full scope of the deployment.\n       They indicated that as a result, the deployment was not fully\n       completed because of a shortage of 12,000 feet of fiber-optic\n       cable.\n\n      Of nine employees who responded to our question regarding\naccessibility of the contractor for equipment maintenance support, six\nindicated that the contractor was not easily accessible.\n\n   \xe2\x80\xa2   Chicago employees said they had to wait as long as three weeks\n       to receive replacement parts. To report a problem, they first\n       had to call FBI Headquarters, who then relayed the problem to\n       the contractor.\n\n\n                                 - 107 -\n\x0c   \xe2\x80\xa2   The Miami Field Office indicated it could take weeks to get a\n       question answered by the contractor.\n\n   \xe2\x80\xa2   New York Field Office personnel also indicated that maintenance\n       support was inefficient. Maintenance calls were often not\n       returned. On one occasion, a contractor employee told them\n       \xe2\x80\x9ceverything was on hold because they had too many problems.\xe2\x80\x9d\n       Additionally, if a part needed replacing, the entire computer had\n       to be shipped to the contractor, even if the problem involved a\n       faulty floppy drive. Although FBI Headquarters allowed the\n       New York Office to contact the manufacturer directly to resolve\n       problems, they still had to call FBI Headquarters first so that\n       calls could be logged.\n\n   \xe2\x80\xa2   District of Columbia Field Office personnel stated that having\n       maintenance performed off-site was unworkable. They also\n       indicated that they had to ship computers to the contractor for\n       maintenance, even if the problem involved a faulty floppy drive.\n       This generally resulted in agents being without computers for\n       about three weeks.\n\nd. Adequacy of Training Support Provided to Field Office\n   Personnel\n\n      All employees interviewed stated that training in MS Office 2000\napplications and MS Outlook was generally available before, during,\nand after the Fast Track deployment. All interviewees said time was\nmade available for agents to attend this training as well as additional\ncomputer-based training available on the FBI Intranet.\n\n      However, six of ten interviewees indicated that problems existed\nwith the Learning Management System62 available via the\nFBI Intranet. These six employees generally indicated that the system\nhas not worked well from the beginning, that the system was down\nmore than it was up, and that application problems existed.\n\n   \xe2\x80\xa2   A telecommunications manager from the Chicago Field Office\n       said that employees were unable to determine when classes\n       were being held and that the system \xe2\x80\x9cwas an embarrassment.\xe2\x80\x9d\n\n       62\n          The Learning Management System is a centrally-hosted, web-based\ntraining application available via the FBI Intranet and is designed to allow all\nemployees to: (1) enroll in instructor-led classes, (2) access computer based\ntraining, (3) review training transcripts, and (4) access documentation libraries.\n\n\n                                       - 108 -\n\x0c   \xe2\x80\xa2   Employees from the New York Field Office said the system was\n       not used because of problems with the Trilogy training point-of-\n       contact.\n\n   \xe2\x80\xa2   A supervisory computer specialist from the District of Columbia\n       Field Office said that although there were \xe2\x80\x9cmajor bugs\xe2\x80\x9d with the\n       system, she was able to manually sort out the training timetable\n       to ensure that all employees who desired training received it.\n\ne. Completion of Fast Track Deployment\n\n      Based on the interview results, we concluded that the Fast Track\ndeployment for all five field offices in our sample did not provide the\nquantities of the desktop computers that were expected. As a result,\nthe FBI initiated Extended Fast Track to provide the desktop\ncomputers that were not originally provided with the Fast Track\ndeployment. According to the FBI Project Management Executive,\nmiscommunications between FBI Headquarters and the field offices\nresulted in differences between the number of desktop computers\ndelivered by FBI Headquarters and the number of desktop computers\nexpected to be received. Additionally, the FBI Project Management\nExecutive said shortages of fiber optic cable resulted from these\nmiscommunications, as some field offices budgeted for the wrong\namount of cable. We found that as of June 2002 (the month our\ninterviews were conducted), some field offices did not have sufficient\nquantities of fiber optic cable to complete the deployment and\nhundreds of desktop computers still remained to be delivered.\n\n       We did determine, however, that each desktop computer\ndelivered included the complete baseline hardware and software\npackage specified by the fast track deployment. Additionally, we\nrandomly selected 30 Trilogy desktop computers received by each field\noffice and verified that the desktop computers were received, installed,\nand operational.\n\n       For two of the five field offices we reviewed, additional\ninstallation work remained to complete the Fast Track deployment. At\nthe Los Angeles Field Office, we were informed that about 40 percent\nof the Trilogy desktop computers were not connected to servers and\nnetworked because of the shortage of fiber optic cable. Additionally,\nalthough Los Angeles received the requisite number of Trilogy printers,\nnone of these printers were operational because of the shortage of\nfiber optic cable. At the District of Columbia Field Office, we were\n\n\n                                 - 109 -\n\x0cinformed that only 3 percent of the Trilogy printers received were\noperational because the required fiber optic cables had not yet been\ninstalled.\n\n      Additionally, there appeared to be some confusion between FBI\nHeadquarters and some of the field offices as to the actual number of\nTrilogy desktop computers to be deployed under Fast Track. As a\nresult, four of the field offices had not yet received their full\ncompliment of desktop computers as intended under the Fast Track\ndeployment.\n\n  \xe2\x80\xa2   Chicago Field Office personnel explained that FBI Headquarters\n      initially informed them Fast Track would be a one-for-one\n      exchange of old desktop computers for new desktop computers.\n      Accordingly, they planned for a one-for-one exchange involving\n      approximately 390 Trilogy desktop computers. However, the\n      March 14, 2002 Electronic Communication (EC) indicated that\n      the contractor was shipping 735 Trilogy desktop computers, one\n      for each employee. Chicago Field Office personnel told FBI\n      Headquarters that all they could accommodate at that time was\n      427 desktop computers, enough to accommodate a one-for-one\n      exchange plus an additional ten percent.\n\n  \xe2\x80\xa2   Miami Field Office personnel told us they received 556 desktop\n      computers in January 2002. However, according to the\n      March 14, 2002 Electronic Communication (EC) received\n      3 months later, the Miami Field Office was scheduled to receive\n      739 Trilogy desktop computers in January 2002.\n\n  \xe2\x80\xa2   The March 14, 2002 EC indicated that the District of Columbia\n      Field Office would receive 1,365 Trilogy desktop computers.\n      However, the District of Columbia Field Office actually received\n      950. They indicated that 100 desktop computers would be\n      deployed during the full implementation.\n\n  \xe2\x80\xa2   The March 14, 2002 EC indicated that the New York Field Office\n      would receive 2,101 Trilogy desktop computers, one for each\n      person. New York Field Office personnel told us they received\n      1,245 desktop computers based on a one-for-one computer\n      exchange and that the remaining desktop computers would be\n      deployed during the full implementation.\n\n\n\n\n                                - 110 -\n\x0cf. Most Significant Obstacles to Fast Track Deployment\n\n       When asked to provide what they perceived to be the most\nsignificant obstacles to the Fast Track Deployment, personnel from the\nfive field offices provided the following responses:\n\n   \xe2\x80\xa2   Personnel from the Chicago Field Office stated that FBI\n       Headquarters did not provide sufficient information prior to the\n       deployment and did not inform them of changes in deployment\n       planning. They also indicated that frequent turnover of\n       personnel at FBI Headquarters made planning more challenging.\n       They indicated that because of changing plans, FBI Headquarters\n       required them to submit four separate surveys, three of which\n       were subsequently lost by FBI Headquarters.\n\n   \xe2\x80\xa2   Personnel from the Los Angeles Field Office indicated the\n       contractor did not obtain sufficient input during survey work to\n       understand the full extent of the deployment. Also, the\n       contractor was rushed in completing the deployment. To\n       complete the deployment, Los Angeles personnel had to perform\n       some of the work themselves.\n\n   \xe2\x80\xa2   Personnel from the Miami Field Office indicated that the on-site\n       time to complete the installation phase of the deployment was\n       too narrow.\n\n   \xe2\x80\xa2   Personnel from the New York Field Office indicated that on-site\n       technical personnel were not available to answer questions\n       during survey work. Also, the contractor did not have sufficient\n       time to complete the on-site deployment work.\n\n   \xe2\x80\xa2   Personnel from the District of Columbia Field Office stated the\n       contractor was rushed, and they had to do some of the\n       contractor\xe2\x80\x99s work to expedite the deployment.\n\ng. Limitations to Field Offices Fully Utilizing Trilogy Fast Track\n   Capabilities\n\n      When asked what are the current limitations to utilizing Trilogy\nFast Track capabilities, personnel from the five field offices provided\nthe following responses.\n\n   \xe2\x80\xa2   Chicago Field Office personnel stated that a shortage of fiber\n       optic cable prevented them from making connections between\n\n\n                                 - 111 -\n\x0c         computers and building up the network infrastructure. Without\n         the network infrastructure, they are unable to operate the\n         system at full utilization.\n\n     \xe2\x80\xa2   The Los Angeles Field Office indicated that funds were not\n         available to buy required quantities of fiber optic cable to\n         complete the deployment. Also, FBI Headquarters had not yet\n         developed the macros for Microsoft Word. Further, although\n         Los Angeles has trouble-shooting equipment for its existing\n         application systems, no such equipment has been provided so\n         far for Trilogy.\n\n     \xe2\x80\xa2   The New York Field Office indicated that FBI Headquarters had\n         not yet developed the macros for Microsoft Word.\n\n     \xe2\x80\xa2   The District of Columbia Field Office indicated that it had yet to\n         install the Trilogy printers. Also, FBI Headquarters had not yet\n         developed the macros for Microsoft Word. As a result, agents\n         were still using WordPerfect because of its nearly 1,000 FBI\n         unique macros.\n\nh.       Summary\n\n       Based on the results of our work at the five field offices, the\nExtended Fast Track deployment was still ongoing as of June 2002.\nFor two of the field offices, additional installation work remained to be\ncompleted, and for four of the field offices hundreds of desktop\ncomputers still remained to be delivered. A lack of clear\ncommunication between FBI Headquarters and the field offices\ncontributed to the confusion over the number of desktop computers to\nbe delivered and shortages of fiber optic cable. Additionally contractor\nmaintenance support for the Trilogy architecture was inefficient,\nresulting in agents being without computers for weeks at a time.\nImprovements in agent and support personnel training, procurement\nof trouble-shooting equipment for the Trilogy architecture, and timely\ncustomization of word processing software will enhance user utilization\nof the Trilogy architecture.\n\n\n\n\n                                    - 112 -\n\x0c(6) Recommendations\n\n      We recommend the Director of the FBI:\n\n25.   For future IT deployments, ensure that processes are established\n      for field offices to submit input and receive feedback from FBI\n      Headquarters prior to installing equipment.\n\n26.   Initiate action to remedy contractor deficiencies associated with\n      inefficient: (a) operation of the service support center, and\n      (b) maintenance support for Trilogy architecture.\n\n27.   Initiate action to enhance employee IT training by:\n      (a) remedying problems associated with the FBI\xe2\x80\x99s on-line\n      training system, and (b) developing a training plan specifically\n      tailored to information technology specialists and electronic\n      technicians.\n\n28.   Initiate action to complete the Extended Fast Track deployment\n      timely by: (a) delivering the remaining quantities of Extended\n      Fast Track desktop computers, and (b) procuring sufficient\n      quantities of fiber optic cables.\n\n29.   Initiate action to: (a) procure adequate trouble-shooting\n      equipment for Trilogy architecture, and (b) complete timely\n      development of FBI unique macros for Microsoft Word.\n\n\n\n\n                                - 113 -\n\x0c2. The FBI\xe2\x80\x99s IT Strategic Planning and Performance\n   Measurement\n\n      The FBI\xe2\x80\x99s IT strategic planning and performance\n      measurement is inadequate because: (1) the FBI\'s\n      strategic plan does not incorporate the ITIM process, and\n      (2) the FBI\xe2\x80\x99s strategic plan and performance plan are not\n      consistent with the DOJ\xe2\x80\x99s annual performance plan. These\n      conditions occurred because the FBI has not updated its\n      strategic plan since 1998, and its performance plan does\n      not include strategic objectives, goals, and strategies\n      relating to IT that are consistent with the DOJ\'s annual\n      performance plan. As a result, the FBI will have difficulty\n      advancing its ITIM process through the Framework\xe2\x80\x99s\n      maturity stages. Additionally, there is a heightened risk\n      that the FBI may not be appropriately allocating resources\n      to meet the DOJ\xe2\x80\x99s strategic priorities.\n\nA. Background on Strategic Planning\n\n      Strategic planning is used to determine and reach agreement on\nthe fundamental results the organization seeks to achieve the goals\nand measures it will set to assess programs, and the resources and\nstrategies needed to achieve its goals. Additionally, according to the\nGAO\xe2\x80\x99s June 2002 testimony to the House Appropriations Committee:63\n\n      Strategic planning helps organizations to be proactive,\n      anticipate and address emerging threats, and take\n      advantage of opportunities to be reactive to events and\n      crises. Leading organizations, therefore, understand that\n      planning is not a static or occasional event, but a\n      continuous, dynamic, and inclusive process. Moreover, it\n      can guide decision-making and day-to-day activities.\n\n      The Government Performance and Results Act of 1993\n(Results Act) provides for the establishment of strategic planning and\nperformance measurement in the federal government. It seeks to\nimprove the effectiveness, efficiency, and accountability of federal\nprograms by establishing a system for agencies to set goals for\nprogram performance and to measure results. The Results Act\nrequires agencies to prepare a strategic plan, annual performance\n      63\n         This testimony, \xe2\x80\x9cFBI REORGINAZATION: Initial Steps Encouraging but\nBroad Transformation Needed\xe2\x80\x9d (GAO-02-865T), was made by the Comptroller\nGeneral of the United States on June 21, 2002.\n\n\n                                    - 114 -\n\x0cplans, and annual performance reports. The strategic plan, which is\nthe key requirement of the Results Act, identifies agencies\' long-term\ngoals. Federal agencies are required to update their strategic plan at\nleast every three years.\n\n      While the Results Act applies to the DOJ, it does not specifically\napply to components such as the FBI. However, in our judgment, for\nthe DOJ to comply with the Results Act, the components must have\nstrategic and performance plans that are consistent with, and support,\nthe DOJ\xe2\x80\x99s strategic and performance plans.\n\n      Annual performance plans include measurable goals that define\nwhat an agency will accomplish during a fiscal year. These plans\nshould: (1) establish performance goals to define levels of\nperformance to be achieved; (2) express those goals in an objective,\nquantifiable, and measurable form; (3) briefly describe the operational\nprocesses, skills, technology, human capital, information, or other\nresources required to meet the goals; (4) establish performance\nmeasures for assessing the progress toward, or achievement of, the\ngoals; (5) provide a basis for comparing the actual program results\nwith established goals; and (6) describe the means to be used to\nverify and validate measured values. There are at least two iterations\nof the annual performance plan. The initial annual performance plan is\nsubmitted to the OMB and is used during its review of the agency\'s\nbudget request. The final annual performance plan is submitted to\nCongress soon after the transmittal of the President\'s budget.\n\n       The DOJ\xe2\x80\x99s annual performance plan is comprised of two parts.\nThe first part is a summary performance plan that provides a\ndepartmental overview and synthesis and is submitted as a stand-\nalone document. The second part consists of the individual\nperformance plans of the departmental components. These\ncomponent plans are prepared pursuant to guidance provided by the\nDOJ and are incorporated within the components\xe2\x80\x99 budget submissions.\nComponent plans should support the objectives, goals, and strategies\nof the DOJ\'s annual performance plan so that the DOJ can rely on the\ndata provided through the component reports. In our judgment,\ncomponents that do not incorporate the DOJ\xe2\x80\x99s objectives, goals, and\nstrategies in their strategic and performance plans are at a heightened\nrisk of not allocating resources in accordance with the DOJ\xe2\x80\x99s strategic\npriorities.\n\n\n\n\n                                - 115 -\n\x0cB. Strategic Planning\xe2\x80\x99s Relationship to the ITIM Process\n\n      According to the Framework, the purpose of ITIM is to describe\nand improve the IT investment management processes so that the\nstrategic plans and decisions that are made can and will be supported\nby highly effective IT investments. Similarly, performance measures\ncreated and used to guide the organization and its activities are a\nfactor in some ITIM critical processes. However, in general, activities\nrelated to the ongoing development and implementation of\nperformance measures are largely outside the scope of the GAO ITIM\nFramework.\n\n      Although strategic planning is a function that is largely\nindependent of the ITIM process, strategic planning activities relate to\nthe Framework\xe2\x80\x99s activities at different stages of investment maturity.\nSpecifically, the business needs identification critical process in Stage\nTwo has a key practice that requires the organization to have defined\nbusiness needs or stated mission goals. Additionally, Stage Five\nmaturity, leveraging IT for strategic outcomes, is highly dependent on\nthe comprehensiveness of the organization\xe2\x80\x99s strategic plan. Stage Five\nmaturity also focuses on the organization\xe2\x80\x99s ability to improve strategic\noutcomes, change business processes to take advantage of technology\nchanges, and learn from others by benchmarking processes. Based on\nthe interdependencies between the ITIM and strategic planning\nprocesses, in our judgment the organization\xe2\x80\x99s strategic plan should\naddress IT investment management.\n\n      In July 2002, the DOJ released its IT Strategic Plan that included\nthe following four goals:\n\n      1. share information quickly, easily and appropriately - inside\n         and outside the DOJ;\n\n      2. secure and protect information;\n\n      3. provide reliable, trusted, and cost-effective IT services; and\n\n      4. use IT to improve program effectiveness and performance.\n\nTo meet these goals, the DOJ is focused on four key areas that it\nconsiders to be the building blocks of the IT program: (1) IT\ninfrastructure, (2) information security, (3) common solutions, and\n(4) management roles and processes. One of the strategic initiatives\nthat comprise management roles and processes is: \xe2\x80\x9cEstablish and\n\n\n                                - 116 -\n\x0cimplement improved investment management processes and\npractices.\xe2\x80\x9d 64 Based on this focus, in our judgment the DOJ has\nrecognized the importance of integrating strategic planning with IT\nmanagement.\n\nC. Results of our Assessment of the FBI\xe2\x80\x99s IT Strategic Planning\n   and Performance Measurement\n\n      We found that the FBI\xe2\x80\x99s IT strategic planning and performance\nmeasurement is inadequate because: (1) the FBI\xe2\x80\x99s strategic plan does\nnot incorporate the ITIM process, and (2) the FBI\xe2\x80\x99s strategic plan and\nperformance plan are not consistent with the DOJ\xe2\x80\x99s annual\nperformance plan.\n\n        The FBI\xe2\x80\x99s ITIM Model and Transition Plan states that the\nBureau\xe2\x80\x99s IT strategic plan must incorporate the ITIM process in order\nfor it to achieve advanced IT investment maturity. However, as of the\nend of June 2002, the FBI did not have a current strategic plan\ndedicated to IT. Instead, individual divisions had program plans that\nincluded the use of IT within the particular program.\n\n      Additionally, the Bureau-wide strategic plan has not been\nupdated since 1998. Not only does this time period pre-date the FBI\xe2\x80\x99s\nITIM process, but it also pre-dates the development of the Framework\nin 2000. Officials in the Office of Strategic Planning told us that the\nOffice of Strategic Planning\xe2\x80\x99s recent efforts have not been focused on\nIT.\n\n       The FBI acknowledged to us that it must incorporate strategic\nplanning with its ITIM process, including updating its strategic plan. In\nour judgment, without a new strategic plan, the FBI will limit the\neffectiveness of its ITIM and strategic planning processes.\n\n       Further, we found that the FBI\'s strategic plan (from 1998) and\nits FY 2003 performance plan did not support the DOJ\'s annual\nperformance plan relating to IT. This lack of support occurred because\nthe FBI\xe2\x80\x99s strategic and performance plans are not consistent with the\nstrategic objectives, goals, and strategies relating to IT as the DOJ\'s\nannual performance plan. The DOJ\xe2\x80\x99s FY 2003 annual performance plan\n\n       64\n          Because the DOJ\xe2\x80\x99s IT Strategic Plan was first published in July 2002, we did\nnot assess the FBI\xe2\x80\x99s compliance with it during our audit fieldwork. However, because\nof the recognized relationship between IT investment management and strategic\nplanning, we did examine the FBI\xe2\x80\x99s strategic plan to determine if it incorporated the\nITIM process.\n\n\n                                      - 117 -\n\x0cincludes the strategic objective to "make effective use of IT."\nAdditionally, this strategic objective is supported by the annual goal to\n"expand electronic access and dissemination of information while\nensuring IT security and cost effective IT investments meet\nprogrammatic and customer needs." However, both the strategic\nobjective and the annual goal are not included within the FBI strategic\nplan and FY 2003 performance plan. As a result, there is a heightened\nrisk the FBI may not be appropriately allocating resources to meet the\nDOJ\xe2\x80\x99s strategic priorities.\n\nD. Summary\n\n      The FBI must have a Bureau-wide IT strategic plan to maximize\nthe use of its IT investments, rather than having the division-specific\nIT focus that is currently in place. In fact, the purpose of the FBI\xe2\x80\x99s\nITIM process is to move away from managing IT in division\n\xe2\x80\x9cstovepipes\xe2\x80\x9d to a centralized, Bureau-wide management focus. The\nFBI\xe2\x80\x99s strategic planning process must evolve with the ITIM process to\nensure the success of both functions.\n\nE. Recommendation\n\n      We recommend that the Director of the FBI ensures:\n\n30. The IT strategic plan and performance plans are updated to:\n    (a) fully integrate these plans with the FBI\xe2\x80\x99s ITIM process; and\n    (b) include those performance goals and indicators included in\n    the DOJ\xe2\x80\x99s IT Strategic Plan.\n\n\n\n\n                                 - 118 -\n\x0c            STATEMENT ON COMPLIANCE WITH\n                LAWS AND REGULATIONS\n\n      We have audited the FBI\xe2\x80\x99s management of IT investments. In\nconnection with the audit, as required by the standards, we reviewed\nmanagement processes and records to obtain reasonable assurance\nabout the FBI\xe2\x80\x99s compliance with laws and regulations that, if not\ncomplied with, in our judgment, could have a material effect on FBI\noperations. Compliance with laws and regulations applicable to the\nFBI\xe2\x80\x99s management of IT investments is the responsibility of the FBI\xe2\x80\x99s\nmanagement.\n\n      Our audit included examining, on a test basis, evidence about\nlaws and regulations. The specific laws and regulations against which\nwe conducted our tests are contained in the relevant portions of:\n\n  \xe2\x80\xa2   the Government Performance and Results Act of 1993; and\n\n  \xe2\x80\xa2   the Clinger-Cohen Act of 1996.\n\n      Our audit identified areas where the FBI was not in compliance\nwith the laws and regulations referred to above. With respect to\ntransactions that were not tested, nothing came to our attention that\ncaused us to believe that FBI management was not in compliance with\nthe laws and regulations cited above.\n\n\n\n\n                                - 119 -\n\x0c         STATEMENT ON MANAGEMENT CONTROLS\n\n       In planning and performing our audit of the FBI\xe2\x80\x99s management\nof IT investments, we considered the FBI\xe2\x80\x99s management controls for\nthe purpose of determining our audit procedures. This evaluation was\nnot made for the purpose of providing assurance on the management\ncontrol structure as a whole; however, we noted certain matters that\nwe consider to be reportable conditions under Government Auditing\nStandards.\n\n       Reportable conditions involve matters coming to our attention\nrelating to significant deficiencies in the design or operation of the\nmanagement control structure that, in our judgment, could adversely\naffect the FBI\xe2\x80\x99s ability to manage its IT investments. During our audit,\nwe found the following management control deficiencies.\n\n   \xe2\x80\xa2   The FBI lacked the basic selection and control processes\n       necessary to build its IT investment capability.\n\n   \xe2\x80\xa2   The FBI\xe2\x80\x99s IT strategic planning and performance measurement\n       activities did not include its IT investment management process.\n\n       Because we are not expressing an opinion on the FBI\xe2\x80\x99s\nmanagement control structure as a whole, this statement is intended\nsolely for the information and use of the FBI in managing its IT\ninvestments. This restriction is not intended to limit the distribution of\nthis report, which is a matter of public record.\n\n\n\n\n                                 - 120 -\n\x0c                                                                  APPENDIX 1\n\n\n            OBJECTIVES, SCOPE, AND METHODOLOGY\n\nObjectives\n\n       The primary objectives of the audit were to: (1) determine\nwhether the FBI was effectively managing its IT investments; and\n(2) assess the FBI\xe2\x80\x99s IT strategic planning and performance\nmeasurement activities.65 In determining whether the FBI was\neffectively managing its IT investments, we also examined the FBI\xe2\x80\x99s\nefforts in developing enterprise architecture and project management\nfunctions. These two functions both complement and facilitate IT\ninvestment management. Additionally, we performed a case study of\nTrilogy, a significant IT project, to determine how the FBI\xe2\x80\x99s IT\ninvestment management practices affected the project\xe2\x80\x99s progress.\n\nScope and Methodology\n\n      The audit was performed in accordance with Government Auditing\nStandards, and included tests and procedures necessary to accomplish\nthe audit objectives. We conducted work at: (1) FBI Headquarters in\nWashington, D.C. (2) FBI Laboratory facilities in Quantico, Virginia, and\n(3) FBI field offices in New York City, New York; Los Angeles, California;\nChicago, Illinois; Miami, Florida; and Washington, D.C.\n\n      To perform our audit, we conducted approximately 85 interviews\nwith 70 officials from the FBI (including field offices), DOJ, OMB, and\nGAO. The FBI officials interviewed were from the Director\xe2\x80\x99s office,\nInformation Resources Division, Criminal Justice Information Services\nDivision, Laboratory Division, Inspection Division, and Finance Division.\nAdditionally, we reviewed over 200 documents related to IT\nmanagement policies and procedures, project management guidance,\nstrategic and program plans, IT project proposals and management\nplans, budget documentation, organizational structures, Congressional\ntestimony, and prior GAO and OIG reports.\n\n      To determine whether the FBI is effectively managing its IT\ninvestments, we applied the GAO\xe2\x80\x99s ITIM framework and the associated\nassessment method. As part of the Framework\xe2\x80\x99s assessment method,\n\n       65\n         During our audit fieldwork, we initiated work relating to a third objective:\nto determine if the FBI has implemented prior information technology related\nrecommendations and improved its information technology. We will issue a separate\nreport on this objective.\n\n\n\n                                      - 121 -\n\x0cthe FBI conducted a self-assessment of its IT investment management\nactivities using the Framework. The self-assessment included those\nprocesses that the FBI had in place as of the beginning of our audit.\nAdditionally, the self-assessment covered those processes that the FBI\nwas planning to implement based on its IT Investment Management\nModel and Transition Plan.66 In the self-assessment, the FBI indicated\nwhether it executed each of the key practices in Stages Two through\nFive. The FBI asserted that it executed 27 of the 38 key practices from\nStage Two, 3 of the 53 key practices from Stage Three, and none of the\nkey practices from Stages Four and Five. Additionally, it stated in the\nself-assessment that the IT Investment Management Model and\nTransition Plan would be supplemented so that the FBI would eventually\nimplement the critical processes necessary to achieve Stage Four\nmaturity, as well as many of the key practices from Stage Five.\n\n      Because FBI officials stated in the IT Investment Management\nModel and Transition Plan that its initial goal was to advance to Stage\nTwo, by default, the FBI indicated that it was in Stage One maturity.\nAs a result, we validated the FBI\xe2\x80\x99s execution of the 38 key practices\nfrom Stage Two, and assessed the FBI\xe2\x80\x99s ability to improve its IT\ninvestment management practices through implementation of the ITIM\nprocess defined in the IT Investment Management Model and Transition\nPlan.\n\n       The Stage Two critical processes and key practices we examined\nfocus primarily on the FBI\xe2\x80\x99s ability to effectively select and control its IT\ninvestments. To determine whether the FBI had implemented the\ncritical processes and key practices in Stage Two, we evaluated policies,\nprocedures, and guidance related to the FBI\xe2\x80\x99s IT investment\nmanagement activities.\n\n      We compared the evidence collected from our document reviews\nand interviews to the key practices and critical processes defined in the\nFramework. Because the Framework is a hierarchical model, the rating\nof each critical process is dependent on the key practices below it.\nTherefore, we first rated the key practices. In accordance with the\nFramework\xe2\x80\x99s assessment method, we rated a key practice as\n\xe2\x80\x9cexecuted\xe2\x80\x9d when we determined that the FBI was executing the key\naspects of the practice. A key practice was rated as \xe2\x80\x9cnot executed\xe2\x80\x9d\nwhen we determined that there were significant weaknesses in the\n\n      66\n          Although the FBI\xe2\x80\x99s IT Investment Management Model and Transition Plan,\nissued in January 2002, states that its primary goal is to provide the conceptual\nframework for Stage Two maturity, it also outlines the steps the FBI must take to\nadvance to Stage Four maturity in preparation to achieving Stage Five maturity.\n\n\n                                     - 122 -\n\x0cFBI\xe2\x80\x99s execution of the key practice and the FBI offered no adequate\nalternative, or when we found no evidence of a practice during the\nreview.\n\n      Once the key practices were rated, we rated each of the\nStage Two critical processes we reviewed. A critical process was rated\n\xe2\x80\x9cimplemented\xe2\x80\x9d if all of the underlying key practices were rated as\nbeing executed. A critical process was rated as \xe2\x80\x9cnot yet implemented,\nbut substantial progress made\xe2\x80\x9d if over half, but not all, of its\nunderlying key practices were rated as being executed. A critical\nprocess was rated as \xe2\x80\x9cnot implemented\xe2\x80\x9d when there were significant\nweaknesses (i.e., fewer than 50 percent of the key practices had not\nbeen implemented) in the FBI\xe2\x80\x99s implementation of the underlying key\npractices and no adequate alternative was in place.\n\n      Beginning in March 2002, the FBI pilot tested the select phase of\nits new ITIM process. To measure the FBI\xe2\x80\x99s progress in improving the\nexecution of Stage Two key practices during the course of our audit,\nwe documented the key practices executed: (1) before the\nimplementation start of the test pilot in March 2002, and (2) as of the\nend of our fieldwork in June 2002.\n\n    Our assessment of the FBI\xe2\x80\x99s ability to improve its IT investment\nmanagement consisted of the following four areas:\n\n      1. the Plan\xe2\x80\x99s coverage of Stage Two key practice activities that\n         were not being executed during our fieldwork;\n\n      2. the amount of participation from ITIM users in developing the\n         ITIM process;\n\n      3. the support from the project management function; and\n\n      4. the support from the enterprise architecture function.\n\n        In addition, we performed a case-study of the Trilogy project to\ndetermine how the FBI\xe2\x80\x99s IT investment management practices have\naffected its progress. Trilogy was selected for a case-study because it\nis currently the FBI\xe2\x80\x99s most expensive IT project and its implementation\nis critical to the FBI\xe2\x80\x99s ability to achieve its mission. Trilogy is intended\nto provide the right hardware and software tools to the FBI\xe2\x80\x99s agents\nand analysts, enable the FBI\xe2\x80\x99s investigative personnel to easily and\nrapidly find, present, and manipulate required information, and\ntransport and share information quickly and efficiently across the\n\n\n                                  - 123 -\n\x0cBureau. We performed the case-study both at FBI Headquarters where\nwe interviewed individuals responsible for the project, as well as at five\nFBI field offices (New York, District of Columbia, Los Angeles, Miami,\nand Chicago) where we interviewed individuals responsible for assisting\nin the deployment of the new system, as well as agents utilizing the\nsystem.\n\n      To assess the FBI\xe2\x80\x99s IT strategic planning and performance\nmeasurement activities, we reviewed strategic and performance\nplanning documentation from the FBI, the DOJ\xe2\x80\x99s Strategic Plan for\nFYs 2001 to 2006, the DOJ\xe2\x80\x99s FY 2001 Performance Report, the\nDOJ\xe2\x80\x99s FY 2002 Revised Final Performance Plan for FY 2003, and the\nDOJ\xe2\x80\x99s IT Strategic Plan. To supplement our document review, we also\ninterviewed officials responsible for creating FBI strategic and\nperformance plans.\n\n\n\n\n                                 - 124 -\n\x0c                                                                              APPENDIX 2\n\n\n\nFLOWCHART OF FBI\xe2\x80\x99S ITIM CONTROL PHASE\n\n\n\n\n                        Monthly\n                        Reviews\n                                                       Submits Program\n                                                      Package to PMOs for\n                                                            Review\n                      Project Teams\n                     provide detailed\n                   status of project per\n                    SDLC milestones\n                                                         PMOs assess\n                                                       projects. Develop\n                                                      exception information\n                                                           for review.\n                    Project Sponsor\n                                                Yes\n             No         Reviews\n                                                          TRB reviews\n                                                         exceptions and\n                                                           formulates\n                                                      recommendations to\n                                                            the POC\n                       Approve?\n\n\n\n                                                         POC initiates\n                                                       corrective actions,\n                                                            submits\n                                                      recommendations to\n                                                             ERB.\n\n\n\n                                                          ERB reviews\n                                                       recommendations\n                                                      and takes actions as\n                                                          appropriate.\n\n\n\n\nSource: FBI\xe2\x80\x99s training materials for the ITIM process as of\nFebruary 2002.\n\n\n\n\n                                           - 125 -\n\x0c                                                                                     APPENDIX 3\n\nFLOWCHART OF FBI\xe2\x80\x99S ITIM EVALUATE PHASE\n\n\n\n\n                           Monthly\n                           Reviews\n\n\n\n                                                   POC reviews and\n                        Project Teams                 develops\n                         complete Post           recommendations for\n                        Implementation               ERB action\n                       Review information\n\n\n\n\n                        Project Sponsor\n                       Reviews/Business\n                 No    Sponsor Reviews\n                                                      Active                         Yes\n                                                      Group?\n\n\n\n                           Approve?\n                                                         No\n\n\n                              Yes\n                                                     ERB reviews\n                                                                                 ERB reviews\n                                                 recommendations for\n                                                                             recommendations for\n                                                       process\n                       Submits Review                                        continued investment\n                                                     improvement\n                      Package to PMO for\n                         Assessment\n\n\n\n\n                                                               EA/PMO documents\n                       PMO reviews and                          best practices and\n                        summarizes the                         communicates to all\n                       materials for POC.                      other program teams\n\n\n\n\nSource: FBI\xe2\x80\x99s training materials for the ITIM process as of\nFebruary 2002.\n\n\n\n\n                                       - 126 -\n\x0c                                 APPENDIX 4\n\n\nJMD\xe2\x80\x99S ASSESSMENT OF THE FBI\xe2\x80\x99S ITIM PROCESS\n\n\n\n\n                  - 127 -\n\x0c- 128 -\n\x0c- 129 -\n\x0c- 130 -\n\x0c- 131 -\n\x0c- 132 -\n\x0c                                                       APPENDIX 5\n\n GAO\xe2\x80\x99S FIVE STAGES OF ENTERPRISE ARCHITECTURE\n                   MATURITY\n\n\n\n\nStage One: Creating Enterprise Architecture Awareness is\ncharacterized by either no plans to develop and use an enterprise\narchitecture (EA), or plans and actions that do not yet demonstrate an\nawareness of the value of having and using one. While Stage One\nagencies may have initiated some EA core elements, these agencies\xe2\x80\x99\nefforts are ad hoc and unstructured, and do not provide the\nmanagement foundation necessary for successful EA development.\n\nStage Two: Building the EA Management Foundation focuses on\nassignment of roles and responsibilities and establishment of plans for\ndeveloping EA products. Specifically, a Stage Two agency has\n\n                                - 133 -\n\x0cdesignated a chief architect and established and staffed a program\noffice responsible for EA development. Further, a steering committee\nor group that has responsibility for directing and overseeing the\ndevelopment has been established and the membership of the steering\ncommittee is comprised of business and IT representatives. At\nStage Two, the agency either has plans for developing or has begun\ndevelopment of at least some of the necessary EA products. This\nstage also requires the agency to have selected both a framework that\nwill be the basis for the nature and content of the specific products it\nplans to develop, and an automated tool to help in the development.\n\nStage Three: Developing Architecture Products focuses on actual\ndevelopment of EA products. At Stage Three, the agency has defined\nthe scope of its EA as encompassing the entire enterprise, whether\norganization based or function-based, and it has a written and\napproved policy demonstrating institutional commitment. Although\nthe products may not yet be complete, these products are intended to\ndescribe the agency in business, data, applications, and technology\nterms. Further, the products are to describe the current (i.e., \xe2\x80\x9cas is\xe2\x80\x9d)\nand future (i.e., \xe2\x80\x9cto be\xe2\x80\x9d) states and the plan for transitioning from\ncurrent to future state (i.e., sequencing plan). Also, as the\narchitecture products are being developed, these products are to be\nsubject to configuration control.\n\nStage Four: Completing EA Products is characterized by complete\nand approved EA products that the agency can use to help select and\ncontrol its portfolio of IT investments. The complete products describe\nthe agency in business, data, applications, and technology terms.\nAlso, the products are complete in that the products describe the\nagency\xe2\x80\x99s current and future states and the transition plan for\nsequencing from the current state to the future state. Further, the\nagency\xe2\x80\x99s Chief Information Officer has approved the EA and the\nagency has a written policy requiring that IT investments comply with\nthe EA.\n\nStage Five: Leveraging the EA for Managing Change entails\nevolving the products according to a written and approved policy for\nEA maintenance. Also at this stage, either the steering committee,\ninvestment review board, or agency head approves the EA. Finally,\nthe agency has incorporated the EA into its corporate decision-making\nand has established and is using metrics to measure the effectiveness\nof its EA.\n\n      Source: GAO Report, \xe2\x80\x9cINFORMATION TECHNOLOGY: Enterprise Architecture\n      Use across the Federal Government Can Be Improved\xe2\x80\x9d (GAO-02-6).\n\n                                 - 134 -\n\x0c                                                             APPENDIX 6\n\nFBI\xe2\x80\x99S ENTERPRISE ARCHITECTURE MATURITY SURVEY\n\n\n\n\n   Source: GAO Report, \xe2\x80\x9cINFORMATION TECHNOLOGY: Enterprise Architecture\n   Use   across the Federal Government Can Be Improved\xe2\x80\x9d (GAO-02-6).\n\n\n\n\n                              - 135 -\n\x0c          APPENDIX 7\n\n\n\n\n- 136 -\n\x0c- 137 -\n\x0c- 138 -\n\x0c- 139 -\n\x0c- 140 -\n\x0c- 141 -\n\x0c- 142 -\n\x0c- 143 -\n\x0c- 144 -\n\x0c- 145 -\n\x0c- 146 -\n\x0c- 147 -\n\x0c- 148 -\n\x0c- 149 -\n\x0c- 150 -\n\x0c- 151 -\n\x0c- 152 -\n\x0c                                                                APPENDIX 8\n\n     OIG, AUDIT DIVISION ANALYSES AND SUMMARY\n      OF ACTIONS NECESSARY TO CLOSE REPORT\n\n      In its response to the draft report, the FBI requested that this report\nbe classified For Official Use Only or Limited Official Use. However, in a\nsensitivity review conducted prior to issuance of the final report, the FBI did\nnot request classification of the report or limitation of its distribution.\nConsequently, this report is unclassified and not restricted in its distribution.\n\nRecommendation Number:\n\n1.    Resolved. This recommendation is resolved based on the FBI\xe2\x80\x99s\n      agreement to plan for and take more timely action to allow board\n      members and other ITIM users to execute assigned responsibilities\n      competently. This recommendation can be closed when we receive\n      documentation demonstrating that: (a) the ITIM Program Office has\n      established regularly scheduled meetings for the investment boards\n      with standing agendas of items to be discussed, and (b) the ITIM\n      Program Office maintains an up-to-date list of items requiring board\n      member action and the status of those items.\n\n2.    Resolved. This recommendation is resolved based on the FBI\xe2\x80\x99s\n      agreement to ensure that all members of the IT investment boards\n      receive sufficient education and training to execute assigned\n      responsibilities effectively. The FBI\xe2\x80\x99s response states that additional\n      training will be held in the second and third quarters of\n      FY 2003; however, it does not explicitly state that education and\n      training plans will be developed. This recommendation can be closed\n      when we receive: (a) the ratified Roles and Responsibilities\n      documents dated June 2002 that specifically identify the roles and\n      responsibilities for each investment board member, and (b) education\n      and training plans to ensure board members acquire the required core\n      competencies.\n\n3.    Resolved. This recommendation is resolved based on the FBI\xe2\x80\x99s\n      agreement to ensure FBI IT project mangers consistently follow official\n      project management guidance. However, the FBI\xe2\x80\x99s response does not\n      indicate a date when such a process will be established. We request\n      that in its next corrective action correspondence the FBI provide a\n\n                                     - 153 -\n\x0c       timeframe for implementation of this recommendation. This\n       recommendation can be closed when we receive documentation that\n       official project management guidance has been implemented and\n       consistently followed.\n\n4.     Resolved. This recommendation is resolved based on the FBI\xe2\x80\x99s\n       agreement to develop written policies and procedures for management\n       oversight of IT projects for use by the investment review boards. The\n       FBI\xe2\x80\x99s response indicates that detailed written policies will be completed\n       in the third quarter of FY 2003. This recommendation can be closed\n       when we receive a copy of the written policies and procedures.\n\n5.     Resolved. This recommendation is resolved based on the FBI\xe2\x80\x99s\n       agreement to support the IT investment review boards with a\n       centralized project management office that operates in accordance\n       with ITIM policies and procedures. The FBI\xe2\x80\x99s response indicates that a\n       centralized project management office has been established and will\n       be supporting the investment review boards during the Control phase\n       of the ITIM pilot test.67 This recommendation can be closed when we\n       receive documentation such as organization charts, charters, and\n       policy guidance demonstrating that the centralized project\n       management office has been established and operates in accordance\n       with ITIM policies and procedures.\n\n6.     Resolved. This recommendation is resolved based on the FBI\xe2\x80\x99s\n       agreement to develop a project management plan for each IT project,\n       approved by the Project Oversight Committee, that includes cost and\n       schedule controls. While the FBI\xe2\x80\x99s response indicates that the\n       centralized project management office will develop project\n       management plans, it is not clear when these actions will be initiated.\n       We request that in its next corrective action correspondence the FBI\n       provide a timeframe for implementation of this recommendation. This\n       recommendation can be closed when we receive documentation\n       demonstrating that each IT project has a project management plan\n       approved by the Program Oversight Committee.\n\n7.     Resolved. This recommendation is resolved based on the FBI\xe2\x80\x99s\n       agreement to ensure that information in the IT asset inventory is\n\n       67\n        The FBI\xe2\x80\x99s response states that the roll-out of the Control phase is expected to be\ncompleted by the fourth quarter of FY 2003.\n                                         - 154 -\n\x0c     made available to, and used by, the boards. The FBI\xe2\x80\x99s response\n     indicates that an assessment of the IT asset inventory will initially be\n     shared with the boards in the third quarter of FY 2003. This\n     recommendation can be closed when we receive documentation\n     demonstrating that the IT asset inventory is used by the boards as an\n     investment decision-making tool.\n\n8.   Resolved. This recommendation is resolved based on the FBI\xe2\x80\x99s\n     agreement to execute, by the fourth quarter of FY 2003, the key\n     practice activities necessary for the investment review boards to\n     maintain effective oversight of IT projects. These key practices are:\n\n     \xe2\x80\xa2   providing each project\xe2\x80\x99s up-to-date cost and schedule data to the\n         appropriate IT investment board;\n\n     \xe2\x80\xa2   establishing criteria for the boards to review each IT project\xe2\x80\x99s\n         performance by comparing actual cost and schedule data to\n         expectations;\n\n     \xe2\x80\xa2   performing special reviews of projects that have not met\n         predetermined performance standards;\n\n     \xe2\x80\xa2   defining, documenting, and agreeing to corrective actions for each\n         under-performing project by the appropriate IT investment board\n         and project manager; and\n\n     \xe2\x80\xa2   tracking and implementing corrective actions until the desired\n         outcome is achieved.\n\n     This recommendation can be closed when we receive documentation\n     demonstrating that the five key practice activities listed above have\n     been executed.\n\n9.   Resolved. This recommendation is resolved based on the FBI\xe2\x80\x99s\n     agreement to ensure progress toward completing the IT asset\n     inventory is monitored. The FBI\xe2\x80\x99s response states that the established\n     deadline for completing and validating the IT inventory is end of the\n     second quarter of FY 2003. This recommendation can be closed when\n     we receive documentation demonstrating that progress toward\n     completion is evaluated.\n\n                                    - 155 -\n\x0c10.   Resolved. This recommendation is resolved based on the FBI\xe2\x80\x99s\n      agreement to implement processes that ensure: (a) subsequent\n      changes to IT projects and systems are identified and documented in\n      the inventory, (b) information from the inventory is available on\n      demand to decision-makers and other affected parties, and (c) the IT\n      project and system inventory and its information records are\n      maintained to contribute to future investment selections and\n      assessments. This recommendation can be closed when we receive\n      documentation demonstrating that the processes have been\n      implemented. The FBI\xe2\x80\x99s response indicates that periodic updates to\n      the IT inventory are planned for the fourth quarter of FY 2003.\n\n11.   Resolved. This recommendation is resolved based on the FBI\xe2\x80\x99s\n      agreement to develop written policies and procedures for identifying\n      the business needs (and the associated users) for each IT project. The\n      FBI\xe2\x80\x99s response states that since March 2002, the Concept Paper and\n      Exhibit 300 have been used to standardize the documentation of the\n      business case. While we agree that these forms can be used to\n      document the business needs and users of IT projects, we do not\n      agree that these forms are sufficient evidence that a policy or\n      procedure exists. This recommendation can be closed when we\n      receive a copy of the written policies and procedures for identifying the\n      business needs and users of IT projects.\n\n12.   Resolved. This recommendation is resolved based on the FBI\xe2\x80\x99s\n      agreement to train ITIM users in identifying business needs and\n      associated users. While the FBI\xe2\x80\x99s response states that training for the\n      Select phase was completed in March 2002, and that additional\n      training will be held when the Control and Evaluate phases are rolled\n      out (second and third quarters of FY 2003, respectively), it does not\n      specify that the training encompasses business needs identification.\n      This recommendation can be closed we receive documentation\n      demonstrating that such training is taking place.\n\n13.   Resolved. This recommendation is resolved based on the FBI\xe2\x80\x99s\n      agreement to ensure identified users participate in project\n      management throughout a project\xe2\x80\x99s life-cycle. The FBI\xe2\x80\x99s response\n      states that the project management office will institute procedures to\n      ensure user involvement throughout a project\xe2\x80\x99s life-cycle, but does not\n      specify when these procedures will be instituted. We request that in\n      its next corrective action correspondence the FBI provide a timeframe\n                                   - 156 -\n\x0c      for implementation of this recommendation. This recommendation can\n      be closed when we receive documentation demonstrating that the FBI\n      instituted procedures requiring participation of end users throughout\n      the project\xe2\x80\x99s life-cycle.\n\n14.   Resolved. This recommendation is resolved based on the FBI\xe2\x80\x99s\n      agreement to ensure the ITIM process applies to all proposals,\n      including those funded through the FBI\xe2\x80\x99s base funding. The FBI\xe2\x80\x99s\n      response states that base funding requests are planned to be included\n      in the FY 2003 Select phase. This recommendation can be closed\n      when we receive documentation demonstrating that the ITIM process\n      has been applied to all proposals.\n\n15.   Resolved. This recommendation is resolved based on the FBI\xe2\x80\x99s\n      agreement to provide sufficient staffing to the ITIM Program Office, as\n      recommended in the Post-Implementation Review. Although the FBI\xe2\x80\x99s\n      response states that six additional full-time staff have been requested\n      for the ITIM Program Office, it did not specify when such positions are\n      expected to be filled. We request that in its next corrective action\n      correspondence the FBI provide a timeframe for implementation of this\n      recommendation. This recommendation can be closed when we\n      receive documentation demonstrating that the staffing requests have\n      been fulfilled.\n\n16.   Resolved. This recommendation is resolved based on the FBI\xe2\x80\x99s\n      response stating that all recommendations set forth in the Post-\n      Implementation Review relating to expanding policies and procedures\n      were implemented by September 2002. This recommendation can be\n      closed when we receive documentation demonstrating that the policies\n      and procedures have been implemented.\n\n17.   Resolved. This recommendation is resolved based on the FBI\xe2\x80\x99s\n      response that input from various ITIM users was incorporated into the\n      design of the Control and Evaluate phases through interviews and\n      working group sessions completed in September 2002. This\n      recommendation can be closed when we receive documentation\n      demonstrating that such working group sessions were conducted and\n      that input was incorporated.\n\n18.   Resolved. This recommendation is resolved based on the FBI\xe2\x80\x99s\n      agreement to modify the ITIM process so that the Technical Review\n                                   - 157 -\n\x0c      Board and Enterprise Architecture Technical Committee perform a\n      business architecture compliance review of IT proposals to ensure\n      these proposals support the missions of the FBI. The FBI\xe2\x80\x99s response\n      states that this modification will be completed by the third quarter of\n      FY 2003. This recommendation can be closed when we receive a copy\n      of the modified ITIM process.\n\n19.   Resolved. This recommendation is resolved based on the FBI\xe2\x80\x99s\n      agreement to prepare a plan that specifically details how the project\n      management office will support the ITIM process. However, the FBI\xe2\x80\x99s\n      response did not specify when this plan will be completed. We request\n      that in its next corrective action correspondence the FBI provide a\n      timeframe for implementation of this recommendation. This\n      recommendation can be closed when we receive a copy of the\n      completed plan.\n\n20.   Resolved. This recommendation is resolved based on the FBI\xe2\x80\x99s\n      agreement to develop and implement a plan detailing how and when it\n      will integrate the ITIM process with a system development life-cycle\n      methodology. Although the FBI\xe2\x80\x99s response indicates that the project\n      management office will integrate the ITIM process with a system\n      development life-cycle methodology, it does not specify when this will\n      be accomplished. We request that in its next corrective action\n      correspondence the FBI provide a timeframe for implementation of this\n      recommendation. This recommendation can be closed when we\n      receive documentation demonstrating that this integration has been\n      completed.\n\n21.   Resolved. This recommendation is resolved based on the FBI\xe2\x80\x99s\n      agreement to continue its efforts to establish a comprehensive\n      enterprise architecture. The FBI\xe2\x80\x99s response states that it has a target\n      to implement the first phase of a world-class enterprise architecture\n      framework by April 2003. This recommendation can be closed when\n      we receive a documentation demonstrating that the first phase of the\n      enterprise architecture has been developed and a maturation plan is in\n      place.\n\n22.   Resolved. This recommendation is resolved based on the FBI\xe2\x80\x99s\n      agreement to establish cost, schedule, technical, and performance\n      baselines for Trilogy and track significant deviations from these\n      baselines. The FBI\xe2\x80\x99s response states that baselines will be established\n                                   - 158 -\n\x0c      once the current Engineering Change Proposals are negotiated,\n      although no target dates were provided. We request that in its next\n      corrective action correspondence the FBI provide a timeframe for\n      implementation of this recommendation. This recommendation can be\n      closed when we receive documentation demonstrating that the\n      baselines have been established and are being monitored.\n\n23.   Resolved. This recommendation is resolved based on the FBI\xe2\x80\x99s\n      agreement to adequately define, document, and share technical\n      requirements for Trilogy. The FBI\xe2\x80\x99s response states that functional\n      requirements have been defined for Trilogy\xe2\x80\x99s User Application\n      Component. This recommendation can be closed when we receive\n      documentation demonstrating that the technical requirements for the\n      User Application Component have been adequately defined,\n      documented, and shared with appropriate users.\n\n24.   Resolved. This recommendation is resolved based on the FBI\xe2\x80\x99s\n      agreement to prepare an action plan to address the risks identified by\n      the three internal reports on Trilogy by December 31, 2002. This\n      recommendation can be closed when we receive a copy of the\n      approved action plans and documentation demonstrating that the\n      plans are being monitored for implementation.\n\n25.   Resolved. This recommendation is resolved based on the FBI\xe2\x80\x99s\n      agreement with our recommendation. The FBI\xe2\x80\x99s response states that\n      a successful process was used for the site installation schedule for the\n      Trilogy project. However, we do not believe that the initial site survey\n      utilized in the Trilogy deployment is an adequate process to submit\n      input and receive feedback from FBI field offices. Our position is that\n      a more comprehensive process could have mitigated the lack of clear\n      communication between FBI Headquarters and field offices that caused\n      confusion over the number of desktop computers to be delivered and\n      shortages of fiber optic cable. This recommendation can be closed\n      when we receive documentation demonstrating that such a process\n      has been established for future IT deployments.\n\n26.   Resolved. This recommendation is resolved based on the FBI\xe2\x80\x99s\n      agreement to remedy contractor deficiencies associated with\n      (a) operation of the service support center, and (b) maintenance\n      support for Trilogy architecture. This recommendation can be closed\n\n                                   - 159 -\n\x0c      when we receive documentation regarding the new maintenance\n      contract and reductions in outstanding trouble tickets.\n\n27.   Resolved. This recommendation is resolved based on the FBI\xe2\x80\x99s\n      agreement to enhance employee training by: (a) remedying problems\n      associated with the FBI\xe2\x80\x99s on-line training system, and\n      (b) developing a training plan specifically tailored to information\n      technology specialists and electronic technicians. This\n      recommendation can be closed when we receive: (a) documentation\n      demonstrating that the outstanding issues with the on-line training\n      system have been resolved, and (b) documentation of the Trilogy\n      training received by the information technology specialists and\n      electronic technicians regarding Trilogy software and hardware.\n\n28.   Resolved. This recommendation is resolved based on the FBI\xe2\x80\x99s\n      agreement to: (a) deliver the remaining Extended Fast Track desktop\n      computers to all sites except New York City by December 31, 2002,\n      and New York City by February 2002, and (b) obtain sufficient fiber\n      optic cable from other FBI funding. This recommendation can be\n      closed when we receive documentation demonstrating that: (a) the\n      remaining Extended Fast Track desktop computers have been\n      deployed, and (b) sufficient fiber optic cable has been obtained.\n\n29.   Resolved. This recommendation is resolved based on the FBI\xe2\x80\x99s\n      agreement to: (a) procure adequate trouble-shooting equipment for\n      Trilogy architecture when the Enterprise Operations Center is\n      operational, and (b) choose a web-based approach for submissions\n      previously supported by Word Perfect macros. While the FBI\n      disagreed with the original part (b) of this recommendation (that it\n      \xe2\x80\x9ccomplete timely development of FBI unique macros for Microsoft\n      Word\xe2\x80\x9d), it offered the acceptable alternative action of web-based\n      submissions. However, the FBI did not provide estimated completion\n      dates for these planned actions. We request that in its next corrective\n      action correspondence the FBI provide a timeframe for implementation\n      of this recommendation. This recommendation can be closed when we\n      receive documentation demonstrating that: (a) adequate trouble-\n      shooting equipment for Trilogy equipment has been procured, and\n      (b) a web-based approach has been established to replace Word\n      Perfect macros.\n\n\n                                   - 160 -\n\x0c30.   Resolved. This recommendation is resolved based on the FBI\xe2\x80\x99s\n      agreement to update the IT strategic and performance plans so that\n      the plans: (a) are fully integrated with the FBI\xe2\x80\x99s ITIM process, and\n      (b) include those performance goals and indicators included in the\n      DOJ\xe2\x80\x99s IT Strategic Plan. The FBI\xe2\x80\x99s response states that its IT Strategic\n      Planning process will be updated and integrated with the ITIM\n      framework by the fourth quarter of FY 2003. However, the response\n      does not state that the FBI\xe2\x80\x99s IT Strategic Planning process will\n      incorporate performance goals and indicators included in the DOJ\xe2\x80\x99s IT\n      Strategic Plan. This recommendation can be closed we receive a copy\n      of the updated Strategic Planning process that includes the above\n      requirements.\n\n\n\n\n                                   - 161 -\n\x0c'